Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ADD RFC 6296 for futur version pfsense

    Scheduled Pinned Locked Moved IPv6
    14 Posts 5 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fredlubrano
      last edited by

      Hi,

      is it possible to add RFC 6296 to the IPv6 Network Prefix Translation function in a future PfSense release. RFC 6296 (https://www.rfc-editor.org/info/rfc6296) is added in the future version of Freebsd12 :

      https://svnweb.freebsd.org/base?view=revision&revision=303012
      https://reviews.freebsd.org/rS303012
      https://reviews.freebsd.org/D6420

      Thanks

      Best regards,

      fred

      1 Reply Last reply Reply Quote 0
      • MikeV7896M
        MikeV7896
        last edited by

        This paragraph from the Status of this memo section tells me that it’s not likely to find any kind of official support in the GUI here, regardless of FreeBSD’s decision to implement it at the OS level...

        This document is not an Internet Standards Track specification; it is
        published for examination, experimental implementation, and
        evaluation.

        It’s not an internet standard. At least not yet. It is experimental.

        The S in IOT stands for Security

        1 Reply Last reply Reply Quote 0
        • MikeV7896M
          MikeV7896
          last edited by

          And now that I’ve gotten the “nice” response out of the way... NO! NAT and IPv6 do not go together! There is no need to waste TWO /64’s when one and a properly configured firewall works just fine! Why do people want the internet to remain broken with NAT?!

          The S in IOT stands for Security

          JKnottJ 1 Reply Last reply Reply Quote 0
          • JKnottJ
            JKnott
            last edited by

            @fredlubrano said in ADD RFC 6296 for futur version pfsense:

            is it possible to add RFC 6296 to the IPv6 Network Prefix Translation function in a future PfSense release. RFC 6296

            Why??? NAT is a hack to get around the IPv4 address shortage. No need for it on IPv6.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            • JKnottJ
              JKnott @MikeV7896
              last edited by

              @virgiliomi said in ADD RFC 6296 for futur version pfsense:

              Why do people want the internet to remain broken with NAT?!

              They're so used to it, they think it's normal. They don't realize it's a hack that breaks things.

              BTW, I'm allergic to NAT. 😉

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              1 Reply Last reply Reply Quote 0
              • F
                fredlubrano
                last edited by fredlubrano

                Gentlemen, this is just a proposal and I notice that you know very little about the implementation of IPv6 at our French ISPs.
                I totally agree with you that IPv6 is not creating for NAT, so I'm asking you to skim your answers.

                I think I should comment on this conversation at freebsd dev, he loses his time 😂

                1 Reply Last reply Reply Quote 0
                • GrimsonG
                  Grimson Banned
                  last edited by

                  If you post something in a discussion board expect to hear the opinions of others.

                  As for your proposal, well you have my pity if French ISPs are incompetent enough that you would need NAT on IPv6. But that is no reason to support their incompetence by adding that crap to pfSense.

                  1 Reply Last reply Reply Quote 0
                  • F
                    fredlubrano
                    last edited by

                    Unfortunately if pfsense wishes more to develop towards the company and professionals it will have to add these kinds options. Example Fortinet will add this option.

                    I close this request.

                    PS: you are part of people who decides to add function?

                    1 Reply Last reply Reply Quote 0
                    • MikeV7896M
                      MikeV7896
                      last edited by

                      No, all of us are just users of pfSense. Netgate employees are identified with a badge next to their username indicating such.

                      It's certainly possible that, for whatever reason, they could decide to include this functionality. But based on responses to previous requests about NAT and IPv6, I would be very surprised if it happens.

                      It's also possible that some generous individual could do all of the work and submit it to pfSense for inclusion into their software. That's the beauty of Open Source software.

                      But if your ISP is only giving you one single IPv6 address and you want to NAT that one IPv6 address to your LAN (which I think is what your real issue is), this RFC won't be helping you. 1:1 NAT means that for every internal IP address, you have an external one to point to it. So you'd still need a /64 from your ISP in order to use the ideas in this RFC. To make sure this is clear, I'm referring to this statement in the Abstract of the RFC...

                      ...provides a 1:1 relationship between addresses in the "inside" and "outside" prefixes...

                      So you would have an "inside" (likely ULA) /64 on your LAN, and an "outside" /64 (from your ISP) on your WAN... and you're wasting a perfectly good /64 for this nonsense when you could just be using that /64 from your ISP on your LAN in the first place.

                      The S in IOT stands for Security

                      1 Reply Last reply Reply Quote 0
                      • jimpJ
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        The referenced FreeBSD commit is for ipfw, pfSense uses pf. pf already does NPt and it's available under Firewall > NAT, NPt tab.

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 1
                        • MikeV7896M
                          MikeV7896
                          last edited by

                          Ok then, I lose. ☺

                          But as I mentioned, this is still 1:1 NAT... you still need a /64 on your WAN to use a /64 on your LAN. And you shouldn't be using anything other than a /64 on your LAN. So one single IPv6 address will not let you use IPv6 on a whole LAN.

                          The S in IOT stands for Security

                          1 Reply Last reply Reply Quote 0
                          • jimpJ
                            jimp Rebel Alliance Developer Netgate
                            last edited by

                            NPt still isn't useful in that context. There is no such thing as "Proxy NDP" to answer NDP requests for addresses in the /64 on WAN.

                            It is useful for use with a network (/64 or larger) routed to your firewall WAN address, though.

                            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            1 Reply Last reply Reply Quote 1
                            • F
                              fredlubrano
                              last edited by

                              Hello Jimp,
                              Thank you for those answers, it was in the idea. Can you send me by email a procedure to submit requests for improvements, I will answer you by my professional email.

                              Thanks for the moderation of the forum 😉 and good day

                              fred

                              1 Reply Last reply Reply Quote 0
                              • jimpJ
                                jimp Rebel Alliance Developer Netgate
                                last edited by

                                The procedure to request features is in the documentation. No need to discuss a public topic privately.

                                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                Need help fast? Netgate Global Support!

                                Do not Chat/PM for help!

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.