What firewall rules are needed for NPt and ULA
-
I'm trying to get IPv6 failover working on a setup that uses ULA.
I'm looking to translate fd70:1f5c:eb49:20a2::1 (LAN ULA /64) to my IPv6 /64 2001:aaa:bbbb:ccc::1. So, I've added the NPt entry where the internal prefix is the ULA, external the other. This doesn't work. Machines have been assigned IPv6 but I can't access the internet.
I think this may be due to firewall rules. Have tried a few combinations but I might be blind to it. I assume NPt need outbound rules and/or others to work? What on earth would I need to pass through in order to make it work?
-
Why are you trying to do that? You can have both ULA and GUA addresses on the same network. I do that here. With IPv6, there's no need for NAT.
-
@JKnott said in What firewall rules are needed for NPt and ULA:
Why are you trying to do that? You can have both ULA and GUA addresses on the same network. I do that here. With IPv6, there's no need for NAT.
I've been trying to get IPv6 multi-WAN (using two HE tunnels) working for a month odd with no luck following the netgate guidance (https://docs.netgate.com/pfsense/en/latest/routing/multi-wan-for-ipv6.html). Was going to try and use ULA and set up NPt for both IPv6 tunnels as a test to get that working temporarily while investigating.
(I hope that makes a bit more sense)
-
I haven't used multi WAN. However, IPv6 supports having multiple ULA prefixes on a network. If done with separate routers, you can assign a priority to one. Perhaps you could set up 2 instances of pfSense in virtual machines, each with it's own tunnel. Then you could set the priorities on the Router Advertisements page.
IPv6 has a lot of improvements over IPv4 but, unfortunately, the widespread use of NAT has created a lot of bad habits.
