NPt should allow to use a dynamic delegated prefix as source too

Bob.Dig · Mar 8, 2023, 1:02 PM

Because my redmines never got read, I post it here.

The NPt dialog does allow to select a delegated prefix as a destination prefix.
It should allow to do the same for a source prefix.
Example: I use my delegated prefix as my source and only want to use, lets say, tunnelbroker as my second option. This doesn't work now because my dynamic delegated prefix can't be selected.

mhillmann · Mar 9, 2023, 7:53 AM

@bob-dig Use ULA's on the internal network. This way you can easily have any external prefix and get a stable internal address.

Bob.Dig · Mar 9, 2023, 9:11 AM

@mhillmann There is a problem with that, (unsolicited) inbound connections. They only will work for the first NPt. So if you have two v6 WANs, it is better to use GUA of one of them for the LAN, where there is no problem with inbound connections and have the other one dealt by NPt, inbound works too.

mhillmann · Mar 9, 2023, 9:48 AM

@bob-dig You're right on this, I don't use two GUA prefixes simultaneously pointing to the same internal ULA prefix, only as failover from one to the other if either ISP gets disconnected, as this is fairly common here. As far as I've tested, this works correctly if the primary ISP fails with pfSense changing the default GW to the next one in its Gateway Group after dpinger detects the failure of the previous one. You have to take care to arrange NPt rules in the same order (from top to bottom) as the matching GW's (1 to n), otherwise it won't work. It even fails back correctly when the previous ISP comes back online.