IPv6 outbound NAT support
I have an IPv4 address from my ISP and I'm using Hurricane electric tunnel for IPv6 addresses. I want to NAT my IPv6 addresses that Im using internally to the public IPv6 address I have on my pfSense box, however the outbound NAT page only has source networks that are IPv4 (source network shows (/0 to /32).
On a side note the automatic outbound NAT rules show IPv4 address, but no IPv6 addresses for both my WAN interface and for my IPv6 Hurriance Electric interfaces.
#2 Updated by Chris Buechler about 5 years ago
- Project changed from pfSense Packages to pfSense
- Category set to Rules / NAT
- Priority changed from Normal to Low
- Affected Version deleted (
- Affected Architecture added
- Affected Architecture deleted (
Kill Bill wrote:
Sigh. Seems like you missed the point of IPv6 altogether.
Yes. You do NOT NAT IPv6 in the manner described for Internet access. Just don't.
There is a legit usage case for source NAT on v6 though. Where you use source NAT to work around routing problems or complications in v4, the same scenarios will be applicable at times with v6. For instance reaching your CARP backup status system via VPN from master system. It can't return route to your VPN since you're not connected to it, so you source NAT it to the primary's LAN IP. Sometimes you run into situations where a target device's routing is just broken. Happens from time to time with some APs and IP cameras for instance, where they have firmware bugs breaking off-subnet routing. Sometimes are just misconfigured, but can't be reconfigured for whatever reason.
I thought we already had a feature request open for this, but can't seem to find one now.
While it does have legit uses, I'm tempted to not implement such functionality because I'm willing to bet a majority of its uses would be completely unnecessary garbage like NATing all your Internet to one IP. Most of the NAT requirements of v6 (multi-homed small networks, primarily) are covered by nPT, which we've had for years.