Correct config with IPv4 and v6

[mrt12]

Good day

so I have my opnsense firewall up and running. It works perfect.
I have from my ISP an IPv6 /56 prefix delegation, which works perfect.
Behind the opnsense in my LAN, my PCs get an IPv4 and IPv6 assigned by opnsense, and the IPv6 uses the correct prefix and can successfully access the internet. So all works!

Now I have a couple questions how to configure the firewall correctly.

1. I have set up a Wireguard VPN using the built-in opnsense Wireguard function.
IT WORKS JUST PERFECT. However, of course, to access the VPN from the outside world, I must allow access to the firewall IP + port. Please see my attached image with the interfaces. Of course, my WAN interface gets a public IPv4 from the ISP. Further, the WAN interface has a link local IPv6. And then, the LAN, DMZ and so on interfaces get a public IPv6 via the prefix delegation.
I now want my Wireguard to be accessible worldwide by both IPv4 and IPv6. So what destination address do I need to configure in the firewall rules under "destination" ?
I tested two configurations, both of which work, and I wonder which one is the "good" one:

a) Allow destination = WAN interface IPv4 or LAN interface IPv6, port 51820 --> works (the WAN interface has no public IPv6 assigned, I am not sure why??!)
b) Allow destination = "this firewall", port 51820 --> works too

2. I operate a little web server in the DMZ net that I also want to access from the internet. Of course the web server has its own IPv6 address. And also its internal private IPv4. I have set up a NAT rule for the IPv4 net, and that works nicely. How shall I set up the IPv6 rules for the web server? e.g. shall I just allow traffic to the IPv6 of the web server, or shall I better use NPTv6? which is the correct way?

[yourfriendarmando]

In your WAN interface config,  you might need to uncheck a box that says,  Only Request ipv6 route. it's in the same place as the prefix request. The address you "should" be handed starts with 2001:xxx.... That would then be a world accessible IPv6 to your FW.

For me it's not worth enabling the v6 listening side because it is a dynamic IP allocation, and my domain registrar does not yet support dynamic DNS for AAAA records, IPv6 version of a host A record.

[meyergru]

Some ISPs do not give out WAN IPv6 GUAs , but only prefixes. Some even deny prefixes if an interface address is requested. Thus, you can end up in three possible situations:

1. You request both and get both NA and PD
2. You request both and get PD only
3. You request both and get none
4. You request PD only and get it
5. You request NA only and get nothing

Due to current limitations, if you only get a PD prefix, OpnSense cannot use the PD prefix for the WAN address. This is a feature that will be in 24.7.