Using NAT66 on VLAN from /128 wireguard provider

Until 22.03 I was using NAT66 to hand out IPv6 addresses to my "vpn" VLAN from my provider's single /128 wireguard address, but that has stopped working recently (firewall4?) since it relied on an iptables script. It appears that in 22.03 it should be possible to enable NAT66 by just setting option masq6 '1'on the wireguard interface and enabling server-mode DHCPv6 in the VLAN. I have also enabled forwarding from the wireguard firewall zone to the vpn VLAN but I cannot get the VLAN to assign a local prefix.

What is preventing you to port your nat66 rules to nftables? It should readily support IPv6 masquerading

The firewall script was a bit of a black box, and the documentation suggests using relay mode instead of nat6 so I figured that there must be an easier supported path.

In later versions, NAT66 is supported with the single click option masq6 '1' in the wan zone, which should do the same thing that option masq does for v4. It did not seem to work for me to use ULAs on the LAN side. I needed to make up a fake GUA/48 block and NAT it to my real GUA/64 from the modem.

This is completely different from relay mode, which I also have working but not perfectly.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.