Add more than one IPv6 IP address to WAN for extended SNAT/DNAT

Hi all
First I would like to explain the scenario where this request come. My ISP has enabled IPv6, via 6rd tunnel, but no prefix delegation and most important they give only /64 subnet
There is no room for discussion with them on this topic, neither for me an alternative provider that gives better.
Hurricane or similar tunnels are not an option, due to different geolocalization, and because apparently my ISP is blocking IP proto 41 if originated from a device different than their own gateway
So I have decided to implement a NAT6 masquerade on my gateway running trunk.
I'm ok with the way of configure it as described in the wiki, but I would like to regain the flexibility of the public IPv6 address on my LAN devices, that is lost with the NAT6.
I know that I can use DNAT for standard port forwarding (first question: UCI/LUCI can handle DNAT for IPv6 in trunk?), but I have something different in mind.
My WAN6 in DHCPv6 mode gets a SLAAC IPv6 address from the ISP gateway. The idea is to add more IPv6 address in the same /64 subnet on this interface and set a symmetric SNAT/DNAT rule to map each internal IPv6 address running in LAN to a different public IPv6 address on WAN.
Doing so the assumption is that we can reach from internet the IPv6 address running in LAN from the IPv6 public address on the WAN via the DNAT rules and making the IPv6 address running in LAN appear on internet with their own public IPv6 address from the WAN via SNAT rule.
The goal is:

  1. Have the LAN address management working with SLAAC and DHCPv6 with no caveat
  2. Have the LAN device have their own public IPv6 address via SNAT/DNAT
  3. Protect WAN to LAN access with normal iptables rules
    The question: apart from the fact that I know it's way better not use NAT6 at all, does it make sense and is it feasable with modern iptables? Is there any kind of support, even if without LUCI, in UCI to do so, in particular assign more that one IPv6 address to WAN?
    Thanks to everybody who would contribute

Before trying to address your questions / imagined use case directly, did you already try using the relay mode? It is designed exactly for your situation where only a single /64 is available upstream which should be "pseudo bridged" into the downstream interface using proxy NDP.

Hi Jow
Thank you for having pointed out this. Honestly I'm not that much into the
details of how NDP relay works. However I need not only to forward the
subnet to the downstream devices, I have also to run at least there
different subnet (internet, Openvpn ipv6 and NAT64). Normally with a subnet
shorter than /64 you would have used the bits up to /64 for differentiate
the different /64 subnet. Now I have only a /64 if I just relay, how can
make there /64 out of the same /64?

I used the bridge script from Craig. Leaves IPv4 untouched and bridges IPv6 works very fine here!
Although my ISP Router doesn't support IPv6 PD and I had troubles with NAT as well, all other functions were also not 100% working neither on LEDE/OpenWRT/DD-wrt because of my crappy ISP but simplyh bridging the interfaces only for IPv6 works fine. So all clients behind the LEDE are as if they are directly behind the ISP router but only on IPv6 level.

But this is absolutely NOT recommended. You are running devices fully exposed to the net, if the ISP router doesn't run a firewall!

If you have an ISP selling you a router without firewall I strongly suggest to switch ISP! :slight_smile: Anyway, there's nothing against a default firewall from your ISP.

Just make sure UPnP is disabled on the ISP Router. Leave the firewall in place. I really never saw ISP routers without firewall. Only thing I hate about ISP routers is they usually have UPnP enabled.