> > I know I can do NAT66, but I don't think it's feasible to emulate NPT
> > using NAT66 rules.
>
> No, NPT is different and can't be emulated by anything that OpenBSD's
> PF currently does.
Shoot. I was really hoping pfSense managed it through some feature that
predated FreeBSD's pf(4) import, but that I had merely overlooked. That sucks,
right now.
> The closest it can get is NAT with bitmask and "static-port", but
> 1) that's stateful, and 2) it doesn't do the "checksum neutral"
> modification that NPT uses (NPT doesn't replace just the network prefix;
> it also adjusts the host part of the address in a complementary manner
> so that the IPv6 checksum doesn't change).
Ah, thank you for that explanation - I wasn't clear on what the manipulations
were supposed to accomplish.
In my unfortunate scenario, NAT66 would probably work just as well, assuming my
intuition about how IPv4 NAT/SNAT/PNAT works in pf(4) extends to the IPv6
world. An HTTP proxy would also work, I suppose, but would require more
configuration on the inner hosts.
All I need is a way to give ULA-addressed hosts a way *out* to reach, e.g. DNS,
NTP, mirrors, probably various CDNs - all the maintenance traffic a modern
(non-OpenBSD) host generates by itself. As I write this, I'm starting to
wonder if NAT66 isn't the better solution anyway since it's (kind-of)
inherently unidirectional.
Oh, and in case anyone's wondering - this is all because a) VMware NSX 6.0
supports IPv6, but neglects to include any form of NAT or NPT or outbound
proxy; and b) OVH, even in their private cloud offering (which is where the
VMware NSX 6.0 comes in!), will not route public IP address space to a VLAN
behind my firewall... which works for IPv4 ("just use NAT!"), but not so well
for IPv6. And I need IPv6 on the protected hosts. *sigh* If anyone reading
this thinks they can see a better way around this pair of problems, please let
me know.
-Adam
