IPv6 ULA with NPT, when WAN is Dynamic

Started by FlangeMonkey, April 26, 2024, 02:08:55 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 26, 2024, 02:08:55 AM
Hi Guys,

  • I have DHCPv6 configured on the WAN interface and its using PD with a /56.
  • I also have Static IPv6 configured on my LAN interfaces using ULA configured as /64.
  • I'd like to use NPT for 1:1 between the equivalent WAN /56 mapped to the LAN /56.
I have this working with NPT (/56 and /64) mapping configs, however I need to enter the "External IPv6 Prefix (target)" to make this work.  I recall reading to leave "External IPv6 Prefix (target)" empty for it to work dynamically, however that does not work, even with /56, which is address to address.

Any thoughts, what I'm missing?
April 26, 2024, 02:36:43 AM #1
So you want to use the entire /56 PD for NPT? No GUAs in the LANs at all?

Set the internal IPv6 prefix (source) to your ULA /56, leave the external IPv6 prefix (target) empty and set the track interface to an interface which tracks the WAN interface. Since you don't seem to be using tracking at all, you'll have to create a dummy interface for this purpose. Make sure the IPv6 Prefix ID used there isn't in use for any of your "real" LAN interfaces.

This is a rather new workaround and I haven't personally tested it yet, but I think that's how it's supposed to work. There's currently no "direct" way to use a delegated prefix for NPT.

Cheers
Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
April 26, 2024, 09:49:44 AM #2
Out of curiosity: May I ask why one would want to map GUAs to ULAs via NPt?
NPt seems to be the little brother of NAT, which is the bane of IPv4. I see no good reason to bring this flaw to IPv6 that was explicitly designed to overcome this flaw...
April 26, 2024, 12:05:21 PM #3
I use ULA internally and use NPTv6 to map to GUA.

Main reason for me is to keep a consistent IPv6 address scheme internally, even if the IPv6 prefix changes on the WAN.

I'd just like to add, NPTv6 works *brilliantly* on OPNSense. :)
April 26, 2024, 12:05:48 PM #4
I should also add, NPTv6 is stateless, so not NAT.
April 26, 2024, 12:11:08 PM #5
Are your clients using IPv6 ULA only? No IPv4?

If they have IPv4 addresses and Internet access, how do you force them to use ULA instead?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 26, 2024, 12:18:49 PM #6
No, dual stack.

But obviously being ULA the preference is IPv4 WAN, IPv6 local connectivity, IPv6 WAN

I'm quite happy with that, as we have dual leased lines and only one of them has IPv6, so the IPv4 goes out the main leased line, and the IPv6 goes out the *backup* leased line.

They are both 2GB symetrical, so it doesnt really matter.

Plus, we use wireguard for remote users, so they have IPv6 ULA, and IPv4 privates, so NPTv6 seemed so easy to implement.
April 26, 2024, 06:15:14 PM #7
Quote from: Maurice on April 26, 2024, 02:36:43 AM
So you want to use the entire /56 PD for NPT? No GUAs in the LANs at all?

Set the internal IPv6 prefix (source) to your ULA /56, leave the external IPv6 prefix (target) empty and set the track interface to an interface which tracks the WAN interface. Since you don't seem to be using tracking at all, you'll have to create a dummy interface for this purpose. Make sure the IPv6 Prefix ID used there isn't in use for any of your "real" LAN interfaces.

This is a rather new workaround and I haven't personally tested it yet, but I think that's how it's supposed to work. There's currently no "direct" way to use a delegated prefix for NPT.


Like others I want to keep it consistance with the prefix changes on the WAN.  I'll give your suggestion a look, but @ProximusAl how are you mapping addresses on the WAN side?
April 27, 2024, 12:14:44 AM #8
I have a static /56
Print
Go Up Pages1
User actions