Feature: IPv6 NAT #667
Comments
The system should use the IP matching the network of the default gateway, when accessing resources behind that gateway, then you don't have this problem.
pf is ported from OpenBSD 😉 |
|
I'm sorry 8191, but i don't think you really understood what i said. Also, i don't see what pf being ported from OpenBSD has to do with anything |
|
Reminder: Misunderstandings are part of life. We deal with them in a compassionate way. |
|
Was I not "compassionate" in some way? I think that IPv6 NAT is critical to any modern firewall such as OPNsense, not for use in the way IPv4 NAT is mostly used for, but for the situations where it is required, such as a Native/Tunneled + a IPv6 VPN connection. |
|
closing in favour of #167 |
|
Do you mean this? https://lists.freebsd.org/pipermail/freebsd-current/2014-July/051373.html We don't have an expert on the subject. Are you willing to assess the individual parts that are needed to make this work and under which constraints this is allowed to operate? |
|
Sure, but this is literally identical to the existing IPv4 Outbound NAT, even the pf rules are the same: This would make any ipv6 connection originating from 2001:470:1f07:5ba::/64 that is going outbound on the ovpnc6 interface be translated to the ip 2607:fcd0:a:b::1004 |
|
Thanks, so that means Firewall: NAT could do this pending some IPv6 inputs? |
|
Yes, the existing outbound nat should work with only a few minor modifications. After researching the rules a bit more, it probably makes sense to add in inet6 to the rule (though not required): I think all the outbound nat page would need is a dropdown for IPv4/IPv6, and then allowing the inputs to accept IPv6. Basically the way that the firewall rules pages work. |
|
Even I still don't understand your scenario, I'd opt to rename this feature to "prefix rewriting" or NAT66 (to clarify that it's not a 6/4 transition mechanism). |
|
This is not prefix rewriting, we already have NPT for that. This is just NAT like it is on IPv4. Prefix rewriting requires that you have the same size prefix both internally and externally. This is for when you only have a single external IPv6 IP, but obviously, have a larger internal prefix (such as /64). |
|
I guess this function is technically NAT66, but there is no reason to rename it, it is simply "Outbound NAT", which we already have. |
|
I was really confused, I suppose my own fault for assuming. For posterity the 'NTP (IPv6)' heading under Firewall->NAT does not mean "NAT for IPv6", (ipv6 is a protocol option under regular NAT Outbound rules), NTP is rather (what Wikipedia titles as) "IPv6-to-IPv6 Network Prefix Translation" witch has something to do with rewriting the masked prefix of the packets from address with a different network's prefix. |
|
@thorsummoner I'm changing "NPT (IPv6)" to what Wikipedia says: "NPTv6" which should make this more clear. Thanks! |
I believe that IPv6 NAT (like outbound NAT, not NPT) is really a critical feature for OPNsense to have. Many may not realize the need for NAT with IPv6, since it has so many ips, and that is true, you would not need NAT to accommodate a limited number of public ips with IPv6.
There are however, situations where Outbound NAT is required for IPv6. Take for example having a native (or tunneled) IPv6 connection, with a routed range where you allocate all your LAN IPv6 ips from, but you also have a VPN connection (or multiple) which give you a single IPv6 ip, and hands you some IPv6 routes to route over the VPN.
In this case, the routes that the VPN gives you no longer function from the LAN, because the connections to the VPN IPv6 routes will have a source ip that is not routable back over the VPN. The only solution to this is to NAT the connections with the VPN interface's IPv6 ip.
From what I understand, FreeBSD's PF firewall already supports this functionality, so it should be relatively simple to implement.
The text was updated successfully, but these errors were encountered: