Network Prefix Translation (NPt) Failing


  • Hello everyone,

    New user to PFsense sense here, and I'm loving it so far.

    I am having trouble setting up IPv6 with NPt, and I could use a little help. . Here's what I am trying to do:

    • I am receiving an IPv6 address from Cox via DHCP6. I have no idea what the prefix is, nor am I able to find this in any pfsense log.

    • I have several LAN networks setup on the PFsense. Each LAN gateway interface has a ULA address with a /64 prefix. For example, FD00:0:0:1::1 is the address for the vlan 1 gateway, FD00:0:0:2::1 for vlan 2, etc.

    • I setup a DHCP6 server on each interface to hand out ULA addresses to clients.

    • I created an NPt rule to translate my LAN net, FD00:0:0:2::/64 into a global net. Now, as mentioned, I don't know what the prefix for my global address is, so I took the current IPv6 address on my WAN interface and truncated it to 64 bits. I used that as my prefix, and assumed that would be safe.

    However, it doesn't work, and I'm not sure where I have gone wrong. Can anyone steer me in the right direction?


  • @Netsonic said in Network Prefix Translation (NPt) Failing:

    I'm not sure where I have gone wrong.

    You're thinking you're still on IPv4. Typically, an ISP provides at least 1 /64 prefix (I get 256 from my ISP). It usually routes to your firewall via the link local address (starts with fe80). You may have a WAN address that has absolutely nothing to do with routing and isn't even needed. As for your WAN prefix, you should see your WAN address in the pfsense dashboard and the leftmost 64 bits are your prefix. One thing that you need to check is that your modem is in bridge mode, not gateway.


  • @JKnott said in Network Prefix Translation (NPt) Failing:

    You're thinking you're still on IPv4.

    How do you mean? I am pretty sure I'm talking about IPv6 :) . Can you be more specific about what in my reasoning or methodology is flawed?

    Typically, an ISP provides at least 1 /64 prefix (I get 256 from my ISP). It usually routes to your firewall via the link local address (starts with fe80).

    Yes, we're on the same page so far, but we're describing this in a different way. You said you have 256 /64 prefixes; another way to say this is that you have a /56 prefix that subdivides into 256 /64 prefixes. I don't know what this "base" prefix is for me, so I can't derive any /64 prefix to translate into via NPt.

    You may have a WAN address that has absolutely nothing to do with routing and isn't even needed. As for your WAN prefix, you should see your WAN address in the pfsense dashboard and the leftmost 64 bits are your prefix.

    So, should I concern myself with the current WAN prefix at all? What should I use as the translated global prefix?

    One thing that you need to check is that your modem is in bridge mode, not gateway.

    My modem provides only layer-2 functionality to the downstream device (pfsense), so this is not responsible for the current issue.


    So, I'm unclear on what you're advising me to do going forward. Let me clarify my question:

    1. Can I translate a ULA address into a global address using NPt?

    2. What should I use as the source prefix?

    3. What should I use as the global prefix?

    4. What in my current configuration could cause this to not work?

    I understand networking pretty well, but I am shy on IPv6 experience and a very green user to pfsense. I am open to whatever you have to say, but I want to be clear on what you're suggesting that I do to avoid creating a mess in pfsense. :)


  • @Netsonic said in Network Prefix Translation (NPt) Failing:

    @JKnott said in Network Prefix Translation (NPt) Failing:

    You're thinking you're still on IPv4.

    How do you mean? I am pretty sure I'm talking about IPv6 :) . Can you be more specific about what in my reasoning or methodology is flawed?

    Well, for starters, you're talking about NAT. NAT is used on IPv4 to get around the address shortage. No need for that on IPv6.

    Typically, an ISP provides at least 1 /64 prefix (I get 256 from my ISP). It usually routes to your firewall via the link local address (starts with fe80).

    Yes, we're on the same page so far, but we're describing this in a different way. You said you have 256 /64 prefixes; another way to say this is that you have a /56 prefix that subdivides into 256 /64 prefixes. I don't know what this "base" prefix is for me, so I can't derive any /64 prefix to translate into via NPt.

    The base prefix would be the left part of your addresses. If you have a single /64, it would be the leftmost 64 bits. With my /56, it would be the leftmost 56. What does your ISP provide? Mine provides a /64 if the modem is in gateway mode, but as much as a /56 in bridge mode.

    You may have a WAN address that has absolutely nothing to do with routing and isn't even needed. As for your WAN prefix, you should see your WAN address in the pfsense dashboard and the leftmost 64 bits are your prefix.

    So, should I concern myself with the current WAN prefix at all? What should I use as the translated global prefix?

    No. You'd only worry about that for testing or VPN etc.

    One thing that you need to check is that your modem is in bridge mode, not gateway.

    My modem provides only layer-2 functionality to the downstream device (pfsense), so this is not responsible for the current issue.

    Every modem provides layer 2 or Ethernet to your network. It also has to provide layer 3 or IP to your network. If it doesn't provide both, you have an expensive paperweight. The question, again, is your modem in bridge or gateway mode. This is important when you use pfsense.

    So, I'm unclear on what you're advising me to do going forward. Let me clarify my question:

    Can I translate a ULA address into a global address using NPt?

    Again, you're talking NAT, when you don't need to. If your ISP provides more than a single /64, you can use pfsense to assign the different /64s to the various interfaces. For example, I have 1 for my main LAN, 1 for guest WiFi, 1 for test LAN and 1 for my VPN. I still have 252 left.

    What should I use as the source prefix?

    With ULA, it's your choice of any /64 within the fc:: /121 block. But you're heading in the wrong direction with NAT again.

    What should I use as the global prefix?

    What in my current configuration could cause this to not work?

    I understand networking pretty well, but I am shy on IPv6 experience and a very green user to pfsense. I am open to whatever you have to say, but I want to be clear on what you're suggesting that I do to avoid creating a mess in pfsense. :)

    First off make sure your modem is in bridge mode and find out how big the prefix Cox provides is. Once you've done that, we can give you more advise.

    Here is some config info:
    Working IPv6 through Cox

    A quick search shows Cox provides at least a /60. See if you can get that going and then try for something bigger.


  • @JKnott said in Network Prefix Translation (NPt) Failing:

    Well, for starters, you're talking about NAT. NAT is used on IPv4 to get around the address shortage. No need for that on IPv6.

    Ah, I see where the misunderstanding is happening. I'll explain what I'm trying to accomplish and why at the bottom of this thread to avoid lengthy and controversial dissertations on IPv6 that have doubtlessly been covered elsewhere! *

    The base prefix would be the left part of your addresses. If you have a single /64, it would be the leftmost 64 bits. With my /56, it would be the leftmost 56. What does your ISP provide? Mine provides a /64 if the modem is in gateway mode, but as much as a /56 in bridge mode.

    I don't know. After an hour on the phone with Cox, I wasn't able to reach a person who knew the difference between a link local and global address. I've tried my best to deduce this with the following method: I've turned on DHCP6 on my WAN and successfully gotten an IPv6 address. Next, I enabled IPv6 on a LAN interface, and set it to "Track Interface" on the WAN the address. Now, if I am understanding correctly, track interface takes the address space delegated by the ISP, automatically divides it and assigns a prefix to the LAN. Now, when I look at my WAN address and LAN address, they have the first 32 bits in common. Could this /32 be my address allocation, then? If so, it's huge!

    Every modem provides layer 2 or Ethernet to your network. It also has to provide layer 3 or IP to your network. If it doesn't provide both, you have an expensive paperweight. The question, again, is your modem in bridge or gateway mode. This is important when you use pfsense.

    It doesn't have a routed mode; only bridge mode. I'm pretty sure that he's just a bump in the wire, converting signals from coax and ethernet, while the provider equipment does any IP services, but I may be wrong on that. At any rate, I am 100% positive that the device only functions in bridge mode.


    Answer to the question at the top of thread *

    Ok, first a little background on me. I have dated but significant professional experience in Cisco routing & switching, so while my knowledge may not be up-to-date, these ideas are well-informed.

    I'm not literally talking about doing traditional port address translation, but I am trying to to accomplish something similar (NPt). Why? Privacy. Now, soon a mob demanding my head will arrive to inform me of the following:

    • NAT was never meant to provide privacy. (true)
    • NAT in itself does not provide privacy & there are a million other ways in which you can be tracked around the internet. (true)
    • IPv6 has multiple privacy mechanisms on modern OS's -- privacy addresses, temporary addresses, etc. (true)
    • NAT breaks end-to-end IP model and causes a lot of problems you have to solve, so we shouldn't perpetuate the crime. (true)
    • ...therefore NAT6 provides no privacy and should not be used. (false, in my opinion)

    PFSense does not provide NAT6, but Network Prefix translation seems like it will do what I need it to do. To future thread denizens, I'm more than happy argue this use case, but only after I get NPt working. :)


  • @Netsonic said in Network Prefix Translation (NPt) Failing:

    @JKnott said in Network Prefix Translation (NPt) Failing:

    Well, for starters, you're talking about NAT. NAT is used on IPv4 to get around the address shortage. No need for that on IPv6.

    Ah, I see where the misunderstanding is happening. I'll explain what I'm trying to accomplish and why at the bottom of this thread to avoid lengthy and controversial dissertations on IPv6 that have doubtlessly been covered elsewhere! *

    The base prefix would be the left part of your addresses. If you have a single /64, it would be the leftmost 64 bits. With my /56, it would be the leftmost 56. What does your ISP provide? Mine provides a /64 if the modem is in gateway mode, but as much as a /56 in bridge mode.

    I don't know. After an hour on the phone with Cox, I wasn't able to reach a person who knew the difference between a link local and global address. I've tried my best to deduce this with the following method: I've turned on DHCP6 on my WAN and successfully gotten an IPv6 address. Next, I enabled IPv6 on a LAN interface, and set it to "Track Interface" on the WAN the address. Now, if I am understanding correctly, track interface takes the address space delegated by the ISP, automatically divides it and assigns a prefix to the LAN. Now, when I look at my WAN address and LAN address, they have the first 32 bits in common. Could this /32 be my address allocation, then? If so, it's huge!

    All that means is that at some point, they share the same prefix, quite likely since they both belong to the same ISP. As you get closer to the customer, you will see a difference. On a LAN, the normal prefix is a /64, so see how far 64 bits takes you in it.

    Every modem provides layer 2 or Ethernet to your network. It also has to provide layer 3 or IP to your network. If it doesn't provide both, you have an expensive paperweight. The question, again, is your modem in bridge or gateway mode. This is important when you use pfsense.

    It doesn't have a routed mode; only bridge mode. I'm pretty sure that he's just a bump in the wire, converting signals from coax and ethernet, while the provider equipment does any IP services, but I may be wrong on that. At any rate, I am 100% positive that the device only functions in bridge mode.

    Are you certain it doesn't have a gateway mode? If so, that would be unusual these days.


    Answer to the question at the top of thread *

    Ok, first a little background on me. I have dated but significant professional experience in Cisco routing & switching, so while my knowledge may not be up-to-date, these ideas are well-informed.

    The basics of IPv4 and IPv6 are similar, in that routing etc. work the same. However, there are some differences, such as the use of link local addresses for so much.

    I'm not literally talking about doing traditional port address translation, but I am trying to to accomplish something similar (NPt). Why? Privacy. Now, soon a mob demanding my head will arrive to inform me of the following:

    • NAT was never meant to provide privacy. (true)
    • NAT in itself does not provide privacy & there are a million other ways in which you can be tracked around the internet. (true)
    • IPv6 has multiple privacy mechanisms on modern OS's -- privacy addresses, temporary addresses, etc. (true)
    • NAT breaks end-to-end IP model and causes a lot of problems you have to solve, so we shouldn't perpetuate the crime. (true)
    • ...therefore NAT6 provides no privacy and should not be used. (false, in my opinion)

    PFSense does not provide NAT6, but Network Prefix translation seems like it will do what I need it to do. To future thread denizens, I'm more than happy argue this use case, but only after I get NPt working. :)

    If you have more than 1 /64, you will likely not need NAT or NPT. You will simply assign a different /64 to each network. As I mentioned, I use 4. Also, according to a quick search, Cox appears to provide at least a /60, which gives you 16 /64s. Start from there.

    As for your ISPs tech support, I find I often know more than the support staff and for that reason tend to immediately ask for 2nd level, as I know the person who answers the phone will likely not know enough to even understand the problem, let alone solve it. A an example, a couple of years ago, I had a problem with IPv6. Through my own testing I had determined the problem was not on my network. When I was talking to 2nd level support, I had to give them a bit of education on how IPv6 works and they were able to verify the problem was on my ISP's network. Later a senior tech came to my home and I again had to teach him about IPv6. By this time, I had already identified the failing system, at the ISP's office, by host name! Eventually, the senior tech was able to determine the problem was in that office in exactly the system I identified.

    BTW, a bit of background on me. I have almost a half century of experience in telecom, computers and networks, including Cisco CCNA. Almost half that experience was with a major telecom and also almost 4 years at IBM.


  • First, JKnott is always right. ๐Ÿ˜‰
    Second, on WAN, enable Debug:
    Start DHCP6 client in debug mode
    and take a look at that log.
    Get at least one LAN interface working with global IPv6 before even thinking about NPt.
    Better do it right, like JKnott said.
    IPv6 isn't IPv4.


  • @Bob-Dig said in Network Prefix Translation (NPt) Failing:

    First, JKnott is always right.

    That's not what my ex says! ๐Ÿ˜‰