NAT66 and 2nd interface IPv6 IP option for ULA [SOLVED]

Zermus

So I have a pfSense as my frontend on Vultr for my VMs there. I really like them but they're stubborn and only give you a /64 on public interface. I guess they think IPv6 is the same as IPv4 or something.... If you try NPt it overlaps so that's a no go. They refuse to give you another /64 or even a /128 with your /64 routed to it (Stupid I know, even AT&T does this via DHCPv6...).

So if I want my protected LAN VMs to have IPv6 addresses, NAT66 is my only option. Thank Vultr for forcing NAT on IPv6 lol.

It would also be nice to have the option for interfaces to have a 2nd IPv6 address, like for ULA addresses and subnets. Say you want to use that ULA subnet over VPNs or whatnot.

JKnott

@Zermus said in NAT66 support is needed and 2nd interface IPv6 IP option for ULA would be nice:

It would also be nice to have the option for interfaces to have a 2nd IPv6 address, like for ULA addresses and subnets. Say you want to use that ULA subnet over VPNs or whatnot.

You can certainly do that. I have both ULA & global addresses on my network.

Zermus

@JKnott

You do it with Virtual IP?

stephenw10

I would expect to be able to do that using IPAliases, yes.

Zermus

Yeah can't route stuff through an IP Alias though.

stephenw10

Hmm, to do what? You can source traffic from it. You can add a ULA gateway on it and route through that.

Zermus

Interesting ok, well back to the original point, we need NAT66 lol.

Bob.Dig

@Zermus said in NAT66 support is needed and 2nd interface IPv6 IP option for ULA would be nice:

we need NAT66 lol.

I think pfSense already does that. But who is we?

stephenw10

If I understand it correctly you can't use NPt because the translation prefix conflicts with the assigned prefix on the WAN?

Zermus

@stephenw10

Yes sir, NPt is no joy.

stephenw10

You can just add a 1:1 NAT rule between the VIP and the ULA address. I tested that here and it works as expected.

Zermus

@stephenw10

Oh excellent I didn't realize that covered NAT66!

Zermus

Checks out! I'm up and working with NAT66.

I feel so dirty..... Already doing NAT66 on IPv6 lol....

stephenw10

Ha, yup. NATing IPv6.... yikes!

JKnott

@Zermus said in NAT66 and 2nd interface IPv6 IP option for ULA [SOLVED]:

You do it with Virtual IP?

I have both global and unique local addresses on my LAN.

Zermus

@JKnott Well aren't you special? Some of us are not as privileged who want to run our servers behind a pfSense frontend over at Vultr lol.