Correct way to set subnet specific NAT6?

To get IPv6 working for my Wireguard peers with just a /64 prefix by my ISP I had to do NAT66.

Currently I have it setup this way only along with disabling source routing in wan6 interface

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list masq_src 'fd2a:b5d8:7ec0:9::/64'
        option masq6 '1'
        list network 'wan'
        list network 'wan6'

It’s working as expected but I’m just curious, is this the correct way to set this or should I create a NAT firewall rule?

I would go for NPT instead of NAT for IPv6

While trying to setup NPTv6 I’m receiving this error

Error: syntax error, unexpected '}'
add rule inet fw4 srcnat oifname wan snat ip6 prefix to ip6 saddr map { fd8b:b1bb:3e38::/48 :  }
Include '/etc/nftables.d/' failed with exit code 1

If you look at the error it's missing the WAN IPv6 address, your WAN interface doesn't have a routable IPv6 address

Also I advise using the Symmetric dynamic IPv6 NPT guide, as it is dynamic and symmetric, so no port forwarding should be necessary compared to NAT

This needs selective NATTING on the server for the ULA addresses:

config nat 'nat6'
	option family 'ipv6'
	option proto 'all'
	option src 'wan'
	option src_ip 'fd2a:b5d8:7ec0:9::/64'
	option target 'MASQUERADE'

but the way you are doing seems to amount to the same :slight_smile:

See also : How to setup Wireguard with IPv6-PD? - #21 by egc

1 Like

I want to second this. There is barley a reason someone wants or even needs masquerade with ipv6.
With masquerade every host has the same source address. NPT just translates the prefix but the host suffix stays the same.

I was searching for a guide to setup NPT, and stumbled upon this one I’ll look into it, as an ipv6 noob NPT is something very new to me.

1 Like