Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    High Availability LAN Party Setup: IPv6 VPN for CGNAT Bypass Question

    Scheduled Pinned Locked Moved IPv6
    1 Posts 1 Posters 212 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Gamienator 0G
      Gamienator 0
      last edited by Gamienator 0

      Current Setup

      I'm running a LAN party environment with the following infrastructure:

      • Dual pfSense boxes in HA configuration using CARP
      • Three WAN connections:
        1. Fiber connection
        2. 5G connection
        3. 4G connection
      • Each WAN connection has its own router in front of the pfSense boxes
      • All providers implement CGNAT
      • Critical issue: Previously hit CGNAT state limits, which severely impacted connectivity

      Current Challenge

      The main challenge is the CGNAT state limit on our connections. When we hit this limit, it disrupts the entire LAN party connectivity. While we temporarily resolved this by routing traffic through OpenVPN, we need a more robust solution. Our LAN party clients operate exclusively on IPv4, but we're looking to establish our VPN tunnels over IPv6 to bypass the CGNAT limitations entirely.

      Proposed Solution

      I'm considering implementing the following approach to bypass CGNAT restrictions:

      1. Configure ULA (Unique Local Address) IPv6 addresses on each provider router
      2. Use these static ULA addresses for the WAN interfaces on the pfSense boxes
      3. Establish outbound IPv6 VPN connections using these ULA addresses
      4. Continue serving LAN party clients with IPv4 only, while the upstream connection uses IPv6 for the VPN tunnel

      Specific Question

      Is it feasible to:

      1. Use ULA addresses on the WAN interfaces of the pfSense boxes (assigned from the provider routers)
      2. Establish outbound IPv6 VPN connections using these ULA addresses to bypass CGNAT
      3. Maintain CARP functionality with static ULA addresses while serving IPv4-only clients

      The key point I'm trying to understand is whether ULA addresses can be used for outbound IPv6 connectivity to establish VPN connections that will carry our IPv4 traffic, while still maintaining the CARP high availability setup.

      Additional Information

      • LAN party clients are IPv4-only
      • No static IPv4 and IPv6 addresses available from any provider
      • Need to maintain high availability while bypassing CGNAT state limits
      • Primary goal is to avoid CGNAT state limitations by tunneling over IPv6
      • multiple Connections are there to provide Police based Routing. Like Gaming over lowest Ping Connection etc?

      Has anyone implemented something similar or can provide guidance on whether this approach would work for bypassing CGNAT state limits while maintaining HA?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.