Correct NPt settings? Or how to not need it on this network?

  • I'm not understanding what prefixes I should enter on the NPt settings page. I get a /128 on my WAN and have /64 ULA on the LAN. In my NPt settings I have my LAN IP and prefix set in the first address and prefix fields, and the WAN IP and prefix in the second fields. Both "Not" checkboxes are not selected and interface is set to WAN (default). When set like this, there is this error on the dashboard:

    There were error(s) loading the rules: /tmp/rules.debug:88: 'binat' source mask and redirect mask must be the same - The line in question reads [88]: binat on $WAN inet6 from [LAN_IP]/64 to any -> [WAN_IP]

    Am I understanding these settings right? Should the WAN prefix be different? I don't send a prefix hint, but believe I can send /64.

    Or how can I set things up so I don't have to do this? Initially I was tracking on the LAN interface, but nothing really worked. My understanding of that setting is that if my internet or modem is down, the IPs don't work or don't resolve anymore. Is that true?

    I don't want to use my ISP's DNS servers. They're slow and unreliable, and I don't like their privacy policy. Would I have to use them to be able to figure out names and IPs of devices on my LAN?

    How do I block malicious DNS using the MAC as part of the IP? There is no use for that that is in my interest so yes I consider it malicious.

    Thanks in advance everyone. I'm still trying to figure out IPv6 and not get a broken, dangerous config.

  • @signalz said in Correct NPt settings? Or how to not need it on this network?:

    Thanks in advance everyone. I'm still trying to figure out IPv6 and not get a broken, dangerous config.

    Well, you can start by describing what you're trying to do and why you think you need NPt. With IPv6, you should be getting at least 18.4 billion, billion addresses from your ISP. You should have at least 1 /64 prefix. Many ISPs provide a /56, which is 256 /64s and others provide a /48 or /16.

  • I want IPv6 connectivity. I already have an IP on WAN assigned by ISP and a DHCPv6 server set up on pfsense, but test sites and ping6 fail. It's my understanding I need to configure NPt if I want to use private addresses. My issue with getting addresses from my ISP is they didn't work any better. I also want to avoid a configuration that breaks my LAN if Comcast goes down or decides to reconfigure something.

  • @signalz

    First off, you do not need to use private addresses. As I mentioned, an ISP should be providing at least a /64, which is 18.4 billion, billion addresses. The usual way to distribute that is with DHCPv6-PD, where PD stands for prefix delegation. Pfsense can handle that without problem. I get a /56, which means I can set up 256 networks, each with a /64.

    Perhaps if you described what you're doing, we can help you. Also, mention your ISP. There might be someone here who is also on them.

  • For the sake of discussion, I set pfsense back to use interface tracking. I'm right back to where I was before ULAs. I can reach on one computer, but not another. The biggest problem is nothing can figure out anything's address. pfsense doesn't return the AAAA record for anything, even though I can see the IPs in the NDP table, and ping doesn't resolve them.

  • @signalz

    If one device gets an IPv6 address but another doesn't, you have a local problem. Likely you have pfsense misconfigured.

    As for AAAA records, there is no way for any DNS server to know what name you assign to an address, unless you configure it. I have both the pfsense DNS server and a public server available. I put the host names I choose on those servers. Also, bear in mind, there are consistent addresses and privacy addresses, which change every day. Point the DNS to the consistent addresses. Consistent addresses are often based on the MAC address, but may be based on a random number. Either way, you point the DNS to the consistent address. Also, you will probably have a WAN IPv6 address, which is likely not used for routing.

    So, when you determine what your consistent addresses are, enter names for them in the pfsense DNS server.