This is a partial resubmission of NPT6 as a core feature, cleaned up and more focused. In particular, let's keep NPTv6 aside and focus on NAT6.
Let's imagine the following ultra-simplified situation:
- One ISP which provides IPv6 - alas, only a single /64, as it is common with mobile networks.
- No mwan3.
- No wired network, only WiFi.
- There is the main wireless LAN, and the user also wants to have a guest network and run VMs on their laptop.
- The laptop is configured to use prefix delegation for the VM network.
In this situation, with the current versions of OpenWrt, there are two possible IPv6 network setups.
Scenario 1: IPv6 masquerading on the WAN is off.
Then, the main LAN gets ULAs and GUAs and has unrestricted and transparent IPv6 connectivity. The guest WiFi and the VM network get only ULAs and can communicate with each other and the main LAN (assuming that firewall rules don't prevent this), but not with the rest of the world, because ULAs cannot be routed outside.
Scenario 2: IPv6 masquerading on the WAN is on.
For completeness, let's also assume that the LAN is configured to use only ULAs (option ip6class local), and source-based routing is off. Also, let's make sure that dnsmasq always announces the default route, even though its interfaces only have ULAs.
Then, both the main LAN, the guest WiFi, and the VM network will only get ULAs. Yet, they will be able to reach each other and the outside world, with the caveat that the connections will appear to come from the IPv6 WAN address of the router. No connectivity from the WAN to either of these networks is possible.
Summary: I have to choose between transparent connectivity on the main LAN and having external IPv6 connectivity at all on the extra networks. I should not be required to make this choice.
Wanted scenario:
- LAN hosts get GUAs and ULAs, like in Scenario 1
- Guest WiFi hosts and VMs get only ULAs
- LAN host have transparent IPv6 connectivity
- Connections from guest WiFi and VMs to the outside world get masqueraded but at least they would be possible
This is already possible but cumbersome:
config nat
option name 'ULA NAT'
option src 'wan'
option src_ip 'fc00::/7'
option target 'MASQUERADE'
list proto 'all'
...plus the disabling of sourcefilter on the WAN.
What I want is to have this setup as a third option in addition to the two currently existing "on" and "off" options for masquerading. Basically, the NAT should apply to all source IPs that would otherwise be rejected by sourcefilter (instead of hard-coding the ULA range).