NAT66

ineti

Dear pfSense Team,

Would it be possible to implement FreeBSDs NAT66? I think theres a demand for nat66. As I posted earlier a lot of providers deploy only 64 prefixes and NPT doesnt do all the tricks if you want to use static/stateful IPv6 Subnets.

I really dont want to learn pf/or iptables and establish a second ipv6 router :-)

Interesting articles:

Debian/Vyatta based IPv6 NAT : http://packetpushers.net/thank-goodness-for-nat66/

SLAAC and IP forwarding: http://strugglers.net/~andy/blog/2011/09/04/linux-ipv6-router-advertisements-and-forwarding/

PS: I would glady donate for that feature ;D

jimp

There is NPt already, which works like 1:1 NAT for IPv6 to map one prefix to another. That does work fine.

We're considering NAT66 it for 2.2 last I knew, but not 2.1. We need to get 2.1 out first before we start adding more things.

It will be needed for things like transparent proxying or other similar use cases for traffic redirection, so it is useful, but not as critical as other features.

ineti

Thanks for considering it :-)

The current NPT doesn't work with multiple subnets afaik, thats a big problem.

jimp

Not sure what you mean there. Mapping the same internal subnet to two different external subnets on the same WAN? Not sure why anyone would need to do that. That doesn't work for IPv4 either, the first 1:1 NAT mapping takes effect and the next one would be skipped.

Mapping to a subnet on two different WANs does work.

The key with NPt (and will also need to be there for NAT66) is that the subnet being used for NAT must be routed to you. You can't do proxy NDP or some other "virtual" IP type for an entire prefix.

ineti

Example:

Provider hands out a /64; of course I could map my internal  /64 to the global /64..
This works only if I have one internal /64. As I understand NPT i can't map multiple internal /64s to the one /64 my provider has hiven to me.

Another problem is that currently the global NPT prefix has to be assigned manually in pfSense. Lots of ISPs are handing out the prefixes dynamcally. So a tracking feature would be needed as well.

With NAT  I can use as many internal ULA Subnets as I want…

jimp

@ineti:

Provider hands out a /64; of course I could map my internal  /64 to the global /64..
This works only if I have one internal /64. As I understand NPT i can't map multiple internal /64s to the one /64 my provider has hiven to me.

No, that won't/can't work. It's like 1:1 NAT, you can't map one external IP to two internal IPs, the inbound direction would be ambiguous.

@ineti:

Another problem is that currently the global NPT prefix has to be assigned manually in pfSense. Lots of ISPs are handing out the prefixes dynamcally. So a tracking feature would be needed as well.

That's just a missing feature, will come in 2.2. At the moment we're having enough issues just getting PD to play nice, let along tracking it for NPt.

@ineti:

With NAT  I can use as many internal ULA Subnets as I want…

And completely miss the point of IPv6. Just route it. If you need multiple internal subnets, give up doing local SLAAC and use subnets smaller than a /64 and use NPt to map them to segments of your routed /64. Or find a non-stingy ISP that will give you a few prefixes (a /60, /56, or /48 are also common).

ineti

//And completely miss the point of IPv6. Just route it. If you need multiple internal subnets, give up doing local SLAAC and use subnets smaller than a /64 and use NPt to map them to segments of your routed /64. Or find a non-stingy ISP that will give you a few prefixes (a /60, /56, or /48 are also common).//

Well, I don't think it's a option to drop SLAAC by going smaller subnet sizes. Static addresses are no option in roaming environments and most devices don't even support DHCPv6 :-(
I'll probably change my ISP and live with the lower bandwidth (my current ISP is switching to DS lite and dropping native IPv4 as well).

What speaks for NAT66 is that you could at least run one subnet via NAT66. e.g. :
ISP hands out an IP6 Adress to the WAN interface and delegates a /64 via prefix delegation. I could use the /64 for one subnet and the IPv6 WAN adress via NAT66 for another subnet with ULAs.
So only one subnet would have to live with NAT…

Complicated stuff. But I'm glad pfSense supports IP6 so well at this moment. I've looked at other "ready to use router distributions" and a lot don't even support iPv6 in any way...