Possible to use IPv6 for WAN, but IPv4 only for LAN ?

[Twisty2312]

Hey there,

my ISP now support ipv6. I can set the interface to "Track" ipv6 so each devices have a unique ipv6 from the isp. I don'T want that

1) Now websites and ISP can track a specific device instead of a building/internet connection
2) My brain get too fuzzy trying to make firewall rules on LAN for ipv6 and remembering which IP belongs to which device, etc
3) I don't have time to set all my Pi's to use ipv6, and rearrange all my setup

Is there a way for opnsense to get an ipv6 from WAN, but use NAT with ipv4 on LAN/Wireguard VLAN ?

If I disabled Track interface, some devices seem to not be able to use internet at all (looking at you, Android), while all our PCs can still access the internet. Not sure what is going on.

Note that I use OpnSense in a home environment for tinkering and fun.

I thank you for your time.

[meyergru]

1. Your conclusions about traceability are incorrect: when you use SLAAC and IPv6 privacy extensions (RFC 4941), the EUI-64 part of the address is randomized, so individual devices cannot be tracked. Also, there are other/better ways to track devices.

2. There is no way to easily "NAT" IPv4 to IPv6, but you could use a transparent proxy which is internally accessed via IPv4 and uses IPv6 for outgoing connections.