Need help to setup NPTv6 with IPv6-PD?

[nghappiness]

Hi,

I am trying to setup NPTv6 for my home with my ISP which provides IPv6-PD as /56.    I am running 23.1.5_4.

WAN interface is set to DHCPv6,  it is getting the IPv6 delegated prefix. 

I am able to ping6 out to the internet already from OPNSense console.

LAN interface is set to static IPv6, with fddd:xxxx:yyyy:z::1/64.

Setup DHCPv6 for LAN,  enabled, range fddd:xxxx:yyyy:z::100 to fddd:xxxx:yyyy:z::120.


Firewall > NAT > NPTv6

Interface WAN
Internal IPv6 prefix fddd:xxxx:yyyy:z:: / 64
External IPv6 prefix left it blank.

Save.

ping6 behind the firewall, no lucky.

Firewall > Log Files > Live view

Code Select Expand

__timestamp__ 2023-04-13T16:56:32-07:00
action [binat]
anchorname
class 0x00
dir [out]
dst 2607:f8b0:4005:813::2004
flow 0x00000
hoplimit 128
interface vlan07
interface_name wan
ipversion 6
label binat rule
length 40
protoname ipv6-icmp
protonum 58
reason match
rid
rulenr 0
src fd0f:xxxx:yyyy:3::100
subrulenr


Code Select Expand

__timestamp__ 2023-04-13T17:00:40-07:00
action [pass]
anchorname
class 0x00
dir [in]
dst 2607:f8b0:4005:813::2004
flow 0x00000
hoplimit 128
interface vlan01
interface_name lan
ipversion 6
label Allow Outbound
length 40
protoname ipv6-icmp
protonum 58
reason match
rid 8a899f5fb6680084e61474ff6a9575f9
rulenr 182
src fd0f:xxxx:yyyy:3::100
subrulenr

Please help,  what am I missing?

Thanks!

[Patrick M. Hausen]

You need to set the external prefix to use NPT6. But why use that at all? The reason for delegating a /56 is so you can use up to 256 /64. Ethernet type links are always /64 in IPv6. What does the ifconfig output for your WAN interface look like after acquiring an address from your provider?

[nghappiness]

I have a Pi-hole as DNS server behind the LAN interface.  I will like to setup dual stack on pi-hole.   I will need to get static IPv6 address for the pi-hole.  The only way I can think of it by using ULA with NTPv6. 

the ifconfig does not include the prefix delegation information.

Interface -> overview > WAN

Code Select Expand

Status up
DHCP
DHCPv4 up   DHCPv6 up   
MAC address <redux> - Intel Corporate
MTU 1500
IPv4 address aa.bb.cc.44/21
IPv4 gateway auto-detected: aa.bb.cc.1
IPv6 link-local fe80::aaaa:ffff:ffff:1/64
IPv6 address 2001:<redux>::65cd/128
IPv6 delegated prefix 2001:<redux>::/56
IPv6 gateway auto-detected: fe80::5555:aaaa:fddd:6666

[Patrick M. Hausen]

OK, so you get a single /128 externally and a link local default gateway. This is common best practice.
Why can't you assign the first /64 of your delegated /56 to the LAN interface statically? Does the prefix change? You did not make that clear or I missed it.

NPT6 only works with static prefixes.

I'd recommend using "track interface" if you have a dynamic prefix and instead of a separate pihole run AdGuard Home on your OPNsense.

ULA simply won't work:
https://blog.ipspace.net/2022/05/ipv6-ula-made-useless.html

[nghappiness]

Does the prefix change?

The prefix can change (ie, if I reboot opnsense.)

NPT6 only works with static prefixes.

ok.  I got confused by the Full help in NPTv6 setup. 

Enter the external (WAN) IPv6 prefix for the Network Prefix Translation. Leave empty to auto-detect the prefix address. The prefix size specified for the internal prefix will also be applied to the external prefix.

I thought it will auto-detect.

Thanks for the link to ipspace.  Let me read about it..

[Patrick M. Hausen]

Since you do not have an external prefix assigned to the interface but only a /128 plus delegation, there is nothing to autodetect. Sorry not to have better news. Dynamic prefixes suck.

[nghappiness]

Since you do not have an external prefix assigned to the interface but only a /128 plus delegation, there is nothing to autodetect. Sorry not to have better news. Dynamic prefixes suck.

Thanks for the explanation on NPTv6!    I am happy that I don't need to use 6in4 tunnel anymore!