WAN IPv6 -> LAN IPv4 via NAT?

Started by trezyckz, May 28, 2024, 08:42:12 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 28, 2024, 08:42:12 AM
Hey everyone,

I wanted to ask if anyone has experience configuring NAT from IPv6 on the WAN to IPv4 on the LAN?

I've already successfully set up IPv6 on the WAN and feel like I've configured the NAT rules correctly as well. However, all IPv6 traffic trying to access the servers behind the NAT is being blocked by a "default deny rule".
I noticed there's no TCP for IPv6 (TCPv6) as a protocol option. So I'm worried that NAT translation from IPv6 to IPv4 might not even be possible?

Any insights from those who have dealt with this specific setup before would be really appreciated. Maybe there's a way I'm missing?

I know I could just statically configure IPv6 on the LAN, but I'd prefer to do it via NAT like I'm used to with IPv4 in order to retain the rule creation scheme.

Thanks in advance for any help!
May 28, 2024, 08:46:35 AM #1
UDP and TCP is the same for IPv4 and IPv6. Only ICMP needs special treatment in rules.

But I doubt your setup is supported, you should try a reverse proxy, probably.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 01, 2024, 08:45:47 PM #2
Got a public IPv6 and no static IPv6 on LAN so I would to NAT like you asked.
Did you get it working? I'm having the same question.
July 02, 2024, 10:02:38 AM #3
Try NginX or HAProxy.
July 02, 2024, 10:56:55 AM #4
QuoteI know I could just statically configure IPv6 on the LAN, but I'd prefer to do it via NAT like I'm used to with IPv4 in order to retain the rule creation scheme.

Why? That makes no sense.


NAT is a wonky workaround, because your device has no public IPv4 and needs to be translated to your local IPv4.
With IPv6 that problem is gone.


Yes for OPNsense, creating a NAT rule also automatically creates a WAN firewall rule.
So with IPv6 you just create the Firewall rule and don't need to do anything with NAT.


I guess you get a fixed prefix from your ISP? How big is it? /64? /56?

Imagine you get this prefix:
2402:9400:1000:4::/64

Your old way was to NAT traffic to your fixed IPv4 of your server, let's assume 192.168.1.10.
I am a lazy person. I just use the number ten of that and put it in my IPv6.

So on that machine, I give it the static IPv6 of 2402:9400:1000:4::10.
Since IPv6 checks for collisions, no need to setup DHCPv6 or a static IPv6 in OPNsense unless you want to.


Create a WAN rule to allow traffic to 2402:9400:1000:4::10, done.
No NAT shenanigans needed.


Bonus point: no Hairpin NAT needed for certs or DNS.


Just realize, that because you don't have a public IPv4 and you setup a IPv6 host, only remote clients that support IPv6 can reach your destination.
Print
Go Up Pages1
User actions