Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NPT6 for Multi-WAN with dynamic prefix

    Scheduled Pinned Locked Moved Routing and Multi WAN
    2 Posts 2 Posters 363 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      Hikari
      last edited by

      Hello.

      I had read https://docs.netgate.com/pfsense/en/latest/nat/npt.html and I'm still not understanding some stuff.

      On that image, we seem to have to choose 1 interface, and then set static destination prefix. How is that handled, if ISP uses dynamic global prefix? Indeed it says "This does not work for dynamic IPv6 types where the subnet is not static, such as DHCP6-PD.".

      So, how to do it when we have dynamic global prefix?

      But then, I have to handle 2 of those for 2 ISP WANs, together with load balancing and fail over. Is it possible at all?

      What I'm thinking would be needed in my case:

      1. Use a pure GUA prefix, no ULA
      2. Setup fixed suffix for each device on LAN, and also a host name inside LAN domain, all related to their MAC
      3. Choose a random /60 prefix inside one of my ISPs' /32 prefixes, and set a /64 inside it for each of my VLANs
      4. Setup load balancing for both WAN links on 50%-50% distribution and fail over
      5. Setup NPT6 so that LAN GUA prefix is translated to chosen WAN's delegated prefix

      Is it possible to do that on pfSense? Or is there any better way to do it?

      Why I'm considering this approach: when only ULA prefix is used or when GUA prefix expires, devices fall back to IPv4. By delegating a fixed GUA for them, they will remain on IPv6 thinking that's their public prefix.

      Issues:

      a) Protocols that incorporate IP or that announce their IP to outer world will have packages directed to them routed elsewhere.
      b) I'll be unable to reach anybody using any prefix inside the chosen /60, that may be a issue for P2P games in example.

      To solve (b), maybe I choose some Africa prefix, as I had never used any server or matched anybody on games.

      I must be sure pfSense is able to manage this before buying an appliance, so that later it doesn't work and I waste a lot of money.

      1 Reply Last reply Reply Quote 0
      • viktor_gV
        viktor_g Netgate
        last edited by

        Feature request for this:
        https://redmine.pfsense.org/issues/4881

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.