IPv6 dynamic NPt?



  • Hi,

    would it be possible to implement dynamic NPt in IPv6?

    Example: ISP –-> ISP Router ---> Pfsense ----> multiple Subnets with Unique Local Unicast subnets. That ULA subnets shall be mapped via NPt to the /64 network between the ISP router and the pfsense.

    Under NAT: NPt in pfSense 2.1 I could only add a static destination prefix. If my provider changes the assigned iPv6 prefix I must manually change the destination prefix. Would it be possible to add a "tracking feature" for the WAN Interface, so the destination prefix gets changed as well?

    My provider is only assigning /64 prefixes :-(


  • Rebel Alliance Developer Netgate

    @ineti:

    would it be possible to implement dynamic NPt in IPv6?

    Eventually, yes, but not in the way you're after.

    @ineti:

    Example: ISP –-> ISP Router ---> Pfsense ----> multiple Subnets with Unique Local Unicast subnets. That ULA subnets shall be mapped via NPt to the /64 network between the ISP router and the pfsense.

    [Emphasis Mine]
    That's your problem. You can't do that. It would require doing proxy NDP for the entire /64. Doing NPt only works with /64 subnets routed to you from your ISP.

    @ineti:

    Under NAT: NPt in pfSense 2.1 I could only add a static destination prefix. If my provider changes the assigned iPv6 prefix I must manually change the destination prefix. Would it be possible to add a "tracking feature" for the WAN Interface, so the destination prefix gets changed as well?

    That is possible but see above for why that wouldn't do what you expect it to do.
    Now it would be possible for things like DHCP-PD with a dynamic prefix delegation (routed subnet) which would work, but that will likely have to wait for 2.2.

    @ineti:

    My provider is only assigning /64 prefixes :-(

    Then they're deploying a broken design. You're supposed to get transport connectivity and a routed subnet. Even people using dynamic IPv6 methods such as DHCP-PD and 6RD get a routed setup in addition to a WAN-side address.

    It's not as if they need to be stingy with the address space… they probably just don't know any better.


Log in to reply