Project

General

Profile

Feature #4496

IPv6 outbound NAT support

Added by Adam Esslinger over 5 years ago. Updated over 5 years ago.

Status:
New
Priority:
Low
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
03/07/2015
Due date:
% Done:

0%

Estimated time:

Description

I have an IPv4 address from my ISP and I'm using Hurricane electric tunnel for IPv6 addresses. I want to NAT my IPv6 addresses that Im using internally to the public IPv6 address I have on my pfSense box, however the outbound NAT page only has source networks that are IPv4 (source network shows (/0 to /32).

On a side note the automatic outbound NAT rules show IPv4 address, but no IPv6 addresses for both my WAN interface and for my IPv6 Hurriance Electric interfaces.

Automatic_Outbound.PNG (28.6 KB) Automatic_Outbound.PNG Adam Esslinger, 03/07/2015 12:19 AM
Outbound_NAT.PNG (6.17 KB) Outbound_NAT.PNG Adam Esslinger, 03/07/2015 12:19 AM

History

#1 Updated by Kill Bill over 5 years ago

Sigh. Seems like you missed the point of IPv6 altogether.

#2 Updated by Chris Buechler over 5 years ago

  • Project changed from pfSense Packages to pfSense
  • Category set to Rules / NAT
  • Priority changed from Normal to Low
  • Affected Version deleted (2.0)
  • Affected Architecture added
  • Affected Architecture deleted (amd64)

Kill Bill wrote:

Sigh. Seems like you missed the point of IPv6 altogether.

Yes. You do NOT NAT IPv6 in the manner described for Internet access. Just don't.

There is a legit usage case for source NAT on v6 though. Where you use source NAT to work around routing problems or complications in v4, the same scenarios will be applicable at times with v6. For instance reaching your CARP backup status system via VPN from master system. It can't return route to your VPN since you're not connected to it, so you source NAT it to the primary's LAN IP. Sometimes you run into situations where a target device's routing is just broken. Happens from time to time with some APs and IP cameras for instance, where they have firmware bugs breaking off-subnet routing. Sometimes are just misconfigured, but can't be reconfigured for whatever reason.

I thought we already had a feature request open for this, but can't seem to find one now.

While it does have legit uses, I'm tempted to not implement such functionality because I'm willing to bet a majority of its uses would be completely unnecessary garbage like NATing all your Internet to one IP. Most of the NAT requirements of v6 (multi-homed small networks, primarily) are covered by nPT, which we've had for years.

#3 Updated by Dmitriy K over 5 years ago

afaik, NPt does this, no?

#4 Updated by Chris Buechler over 5 years ago

Dmitriy K wrote:

afaik, NPt does this, no?

No, that's only prefix translation. This specifically is referring to many:1 source NAT under Outbound NAT. Which you almost never want to do with IPv6, but it has its use cases.

#5 Updated by Kill Bill over 5 years ago

Dmitriy K wrote:

afaik, NPt does this, no?

No. NPt is like 1:1 NAT (globally routable prefix => ULA prefix). It does not hide the entire LAN behind a single IPv6 at all.

Also available in: Atom PDF