Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT66 and 2nd interface IPv6 IP option for ULA [SOLVED]

    Scheduled Pinned Locked Moved General pfSense Questions
    16 Posts 4 Posters 673 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      Zermus
      last edited by Zermus

      So I have a pfSense as my frontend on Vultr for my VMs there. I really like them but they're stubborn and only give you a /64 on public interface. I guess they think IPv6 is the same as IPv4 or something.... If you try NPt it overlaps so that's a no go. They refuse to give you another /64 or even a /128 with your /64 routed to it (Stupid I know, even AT&T does this via DHCPv6...).

      So if I want my protected LAN VMs to have IPv6 addresses, NAT66 is my only option. Thank Vultr for forcing NAT on IPv6 lol.

      It would also be nice to have the option for interfaces to have a 2nd IPv6 address, like for ULA addresses and subnets. Say you want to use that ULA subnet over VPNs or whatnot.

      JKnottJ 1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott @Zermus
        last edited by

        @Zermus said in NAT66 support is needed and 2nd interface IPv6 IP option for ULA would be nice:

        It would also be nice to have the option for interfaces to have a 2nd IPv6 address, like for ULA addresses and subnets. Say you want to use that ULA subnet over VPNs or whatnot.

        You can certainly do that. I have both ULA & global addresses on my network.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        Z 1 Reply Last reply Reply Quote 0
        • Z
          Zermus @JKnott
          last edited by

          @JKnott

          You do it with Virtual IP?

          JKnottJ 1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            I would expect to be able to do that using IPAliases, yes.

            1 Reply Last reply Reply Quote 0
            • Z
              Zermus
              last edited by

              Yeah can't route stuff through an IP Alias though.

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Hmm, to do what? You can source traffic from it. You can add a ULA gateway on it and route through that.

                1 Reply Last reply Reply Quote 1
                • Z
                  Zermus
                  last edited by

                  Interesting ok, well back to the original point, we need NAT66 lol.

                  Bob.DigB 1 Reply Last reply Reply Quote 0
                  • Bob.DigB
                    Bob.Dig LAYER 8 @Zermus
                    last edited by Bob.Dig

                    @Zermus said in NAT66 support is needed and 2nd interface IPv6 IP option for ULA would be nice:

                    we need NAT66 lol.

                    I think pfSense already does that. But who is we?

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S
                      stephenw10 Netgate Administrator
                      last edited by

                      If I understand it correctly you can't use NPt because the translation prefix conflicts with the assigned prefix on the WAN?

                      Z 1 Reply Last reply Reply Quote 0
                      • Z
                        Zermus @stephenw10
                        last edited by

                        @stephenw10

                        Yes sir, NPt is no joy.

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S
                          stephenw10 Netgate Administrator
                          last edited by

                          You can just add a 1:1 NAT rule between the VIP and the ULA address. I tested that here and it works as expected.

                          Z 1 Reply Last reply Reply Quote 1
                          • Z
                            Zermus @stephenw10
                            last edited by

                            @stephenw10

                            Oh excellent I didn't realize that covered NAT66!

                            1 Reply Last reply Reply Quote 1
                            • Z
                              Zermus
                              last edited by

                              Checks out! I'm up and working with NAT66. ๐Ÿค 

                              I feel so dirty..... Already doing NAT66 on IPv6 lol....

                              1 Reply Last reply Reply Quote 0
                              • stephenw10S
                                stephenw10 Netgate Administrator
                                last edited by

                                Ha, yup. NATing IPv6.... yikes! ๐Ÿ˜‰

                                1 Reply Last reply Reply Quote 0
                                • JKnottJ
                                  JKnott @Zermus
                                  last edited by

                                  @Zermus said in NAT66 and 2nd interface IPv6 IP option for ULA [SOLVED]:

                                  You do it with Virtual IP?

                                  I have both global and unique local addresses on my LAN.

                                  PfSense running on Qotom mini PC
                                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                  UniFi AC-Lite access point

                                  I haven't lost my mind. It's around here...somewhere...

                                  Z 1 Reply Last reply Reply Quote 0
                                  • Z
                                    Zermus @JKnott
                                    last edited by Zermus

                                    @JKnott Well aren't you special? Some of us are not as privileged who want to run our servers behind a pfSense frontend over at Vultr lol. ๐Ÿ˜–

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.