Feature #4881

allow dynamic IPs-nets for NPt

Added by L J about 5 years ago. Updated 7 months ago.

Rules / NAT
Target version:
Start date:
Due date:
% Done:


Estimated time:


It would be very helpful to allow NTp to be used with dynamic IPv6 connections.


#1 Updated by Jim Thompson over 4 years ago

  • Assignee set to Chris Buechler

assigned to cmb for eval.

#2 Updated by Chris Buechler over 4 years ago

  • Category set to Interfaces

#3 Updated by Chris Buechler over 4 years ago

  • Target version deleted (2.3)

#4 Updated by Chris Buechler about 4 years ago

  • Assignee deleted (Chris Buechler)

NPT ought to allow specifying "LAN subnet", "OPT1 subnet", etc. like firewall rules and other NAT pages for source and destination.

#5 Updated by Jim Thompson almost 4 years ago

  • Assignee set to Luiz Souza
  • Target version set to Future

#6 Updated by Joshua Diamant over 1 year ago

This will be required for most consumer internet providers that give dynamic IPv6 addresses.

Verizon FiOS just enabled IPv6, but I will be unable to use this until dynamic NTp is enabled via pfSense.

#7 Updated by Carsten F about 1 year ago

Any update here? We need dynamic Prefix support for IPv6 Multi WAN.

#8 Updated by Jim Pingle about 1 year ago

  • Category changed from Interfaces to Rules / NAT

#9 Updated by Csoban Kesmarki 7 months ago

Does anybody aware of any preparation/planning or any other related work already done?

#10 Updated by Csoban Kesmarki 7 months ago

I think that these changes can basically do the job (take it as a high level plan):
1. Changing the /usr/local/www/firewall_nat_npt_[edit].php to let the user choose the "dynamic" destination which inserts <destination><network>wanip</network><destination> instead of <destination><address>[Manually entered IPv6 address]</address><destination>. (Probably needs a new wanipv6?!)
2. Calling filter_configure_sync() (located in from rc.newwanipv6 which will change the <network>wanip</network> to the last IPv6 provided by the ISP. (AFAIK)
Anyone any thoughs?
(I might just leave this here just for the records.)

#11 Updated by Jim Pingle 7 months ago

That alone wouldn't do anything useful -- it would have to be the entire network, not a single address. If it's the entire network, you'd need proxy NDP which does not exist on pfSense.

What it really needs is:

  • Code in the DHCP6 client which stores the current delegated prefix(es) somewhere accessible by pfSense, rather than writing them directly to interfaces and not allowing other parts of the system to see what they are without log scraping/guessing
  • A way to select a track interface and set a prefix ID to determine a delegated prefix to use for NPt
  • Code to use the track interface+prefix ID to setup NPt rules (which will work because the delegated prefixes are already routed to the firewall, no need for proxy NDP)

There are a number of issues that the first point will solve, but currently the DHCP6 client doesn't support that upstream. It needs the feature added there first. Someone in the community was working on that a while back, but I'm not sure that ever progressed to a point where it was usable.

#12 Updated by Csoban Kesmarki 7 months ago

Looks like the wanip is good enough if $rule['ipprotocol'] == "inet6". But the npt has no 'ipprotocol' attribute which should be worked around somehow.

Probably there can be 2 or 3 "dynamic" scenarios:
1. wanip = changing to/from the actual wan ipv6 address with npt. There should be an option (checkbox?) to do a "hidden" wanip-to-wanip NPt rule in case 2 to keep the wanipv6 as it is for e.g. PMTUDv6 packet too big messages.
2. wan = changing to/from the whole wan ipv6 subnet with npt.
3. wan + some subnet = changing just the subset of the ipv6 subnet. (This might needs further fileds on the NPt edit page.

#13 Updated by Csoban Kesmarki 7 months ago

Jim Pingle wrote:


Thank you!

I though much simpler at first by trying to follow my own manual steps when my IPv6 changed.
My WAN IPv6 is always made from the IPv6 "prefix" (it just /64 all the time) and the end of my Link-Local address (from my MAC).

Do you think that it is owe to think about a setting somewhere to have a manual/fixed "suffix" instead of LLA?

Does it really a valid case getting more then a single /64 prefix from the ISP when they provide dynamic IPv6 prefix? Reason of asking is that I always have /64 only from Telekom Hungary.

#14 Updated by Jim Pingle 7 months ago

NPt is "Network Prefix Translation" not "IPv6 outbound NAT", it is effectively "IPv6 1:1 NAT for single addresses or entire subnets". It does not translate many:1 (overload).

There is no potential use for the IPv6 WAN address alone in NPt. It must always be an entire prefix, and as I said, using the WAN prefix is not viable since it would require proxy NDP.

Using any kind of suffix has the same issues I also mentioned. You must be able to specify a track interface and prefix ID or it has no idea what to add that suffix to.

#15 Updated by Csoban Kesmarki 7 months ago

Got that point.

I did two things here with my NPt:
1. Now I have 4 networks (LAN, DMZ, GUEST, VPN), basically /80 each, which I 1-1 to the /64 I got from ISP. This works properly (however I have modify it in every 3-5 days when the /64 changes toghether with my IPv4 address). The pfSense's WAN uses automatically a single IPv6 address out of that /64 (by adding its LLA's end to the /64 prefix).
2. Previously I tried to 1-1 my internal networks as a whole /64 to the WAN /64 facing an issue where the Path Discovery MTU's "packet too big" ICMPv6 message got lost because a double NPt on a loop towards the WAN so I had to setup a "dummy" NPt for the pfSense WAN address to NPt it to the same address which overrides the /64 NPt.

These both works without proxy NDP as the ISP just sends me everything which belongs to my /64.

In case 1 I have to modify the ISP provided /64 to have my internal /80s by concatenate a fixed "suffix" to the /64.

In case 2 it is much easier but I have to do that dummy 1-1 trick for the GW used WAN IPv6. (This dummy is which I mentioned above as "hidden" wanip-to-wanip NPt trick which might be enabled/disabled with a checkbox.)

#16 Updated by Holger Glemser 7 months ago

Csoban Kesmarki, are you sure that you cannot get a "real" prefix from your ISP? The correct way would be that you get e.g. a /56 prefix and additionally a /64 for your router. That's the way e.g. the German Telekom does it. In my opinion, using /80 as a prefix is against the IPv6 specifications. In IPv6, the host past of the IP address is always the lower 64 bit and only the higher 64 bit shall be used for routing. What you are doing breaks e.g. SLAAC (Stateless Address Auto Configuration) and I don't know what else. It might work in some scenarios but I would definitely not recommend it.

I'm waiting for dynamic NPt, too, but for a different reason: I have 2 ISPs with dynamic prefixes. I need NPt so I can configure ULAs internally and map them via NPt to the two dynamic external prefixes. Unfortunately, needs to be fixed for that, too, because currently, I cannot even get the prefix from my second ISP and use it for some of my VLANs without failover (wouldn't need NPt for that part, only for failover). With IPv4 and NAT it works perfectly: For some VLANs I use ISP1 with fallback to ISP2 and for other VLANs I use ISP2 with fallback to ISP1, using Gateway Groups.

#17 Updated by Csoban Kesmarki 7 months ago

Holger Glemser wrote:

CK, are you sure that you cannot get a "real" prefix from your ISP?...

Thanks Holger, now I did however I had to fully reconfigure my whole network moving the DHCP server from my ubuntu box to the pfSense. So basically it work however not as I planned but at least I got much closer to understand the concept of the dynamic NPT.

I got stacked at a point in my way to trace/investigate/understand/etc. :) the issue: the dhcp6c binary's source itself.
Am I understand it properly that the last source of the dhcp6-20080615.2 (which is included into pfSense 2.4.4p3) is either or or I compleatly wrong and should rely on the

Thanks, CK

Also available in: Atom PDF