Can you "port forward" ipv6 when clients have IPs from SLAAC?

[flac_rules]

I don't know that much about ipv6, but i have setup where i get a /48 network, and i have made a /64 network "internally", and the clients get their IPs "themselves" with SLACC (if i understand correctly). I can make a firewall rule to let through a port to the IP. But can make OPNsense change the port? That is send something from port 2000 on wan to port 1000 on the LAN for instance? With IPv4 i would just use port forward.

Bonus question, is there a way to see the ipv6-adresses on my clients on the LAN?

[meyergru]

Read a little bit on IPv6 before you go on. These are very basic questions. With IPv6, you neither want to nor can do port forwarding, much less port translation. And you can "see" your devices either by assigning them IPv6 addresses based on their MAC or DUID via DHCPv6 or even easier, they get an IPv6 based on their EUI-64, which itself contains the MAC.

However, with dynamic IPv6 prefixes, things get a little more problematic, because then you would have to make them addressable by name via dynamic DNS. I wrote something about this here.
 

[flac_rules]

Thanks, but why should I not do port translation? In the info you linked to it says:

"c. You can translate ports, even with IPv6."

"c. can be a security plus, because IPv4 port scanners will find it harder to identify services on non-standard ports."

Wouldn't this apply here?

[meyergru]

No. The second point refers to IPv4.

While you can do port translation with IPv6, it is useless, because the IPv6 address room is so vast that port-scanning is not feasible anyway. As I said, read more about IPv6 - it differs a lot from IPv4.

[Greg_E]

Let me add this... I know enough about ipv6 to know that I couldn't offer any help here. I need to study this topic because I obviously need to know more.