On 2017/05/16 21:27, Adam Thompson wrote: > > > I know I can do NAT66, but I don't think it's feasible to emulate NPT > > > using NAT66 rules. > > > > No, NPT is different and can't be emulated by anything that OpenBSD's > > PF currently does. > > Shoot. I was really hoping pfSense managed it through some feature that > predated FreeBSD's pf(4) import, but that I had merely overlooked. That > sucks, right now.
>From a quick look it doesn't look like PFSense does RFC 6296 either. For example https://forum.pfsense.org/index.php?topic=115575.0 talks about binat rules. And https://doc.pfsense.org/index.php/Multi-WAN_for_IPv6 describes it as mapping 2001:xxx:yyy::5 to 2001:aaa:bbb::5, so this is exactly the same as you can do with nat-to (or binat-to) and bitmask. Something like pass in on lan inet6 from lan:network nat-to 2001:db8::/48 bitmask For this, your upstream will need to route the prefix (in this example 2001:db8::/48) to the external address of your PF box, because you won't be answering NDP requests (IPv6 analogue of ARP) for the whole /48 worth of addresses. This is the normal case for an ISP providing v6 service to a customer who has more than a single /64, but I have no idea if this is the case with the OVH setup. To be honest it feels to me like 6296 is a bodge to do this with equipment that is too weak to maintain state.. > > The closest it can get is NAT with bitmask and "static-port", but > > 1) that's stateful, and 2) it doesn't do the "checksum neutral" > > modification that NPT uses (NPT doesn't replace just the network prefix; > > it also adjusts the host part of the address in a complementary manner > > so that the IPv6 checksum doesn't change). > > Ah, thank you for that explanation - I wasn't clear on what the > manipulations were supposed to accomplish. > > In my unfortunate scenario, NAT66 would probably work just as well, > assuming my intuition about how IPv4 NAT/SNAT/PNAT works in pf(4) > extends to the IPv6 world. An HTTP proxy would also work, I suppose, > but would require more configuration on the inner hosts. > > All I need is a way to give ULA-addressed hosts a way *out* to reach, > e.g. DNS, NTP, mirrors, probably various CDNs - all the maintenance > traffic a modern (non-OpenBSD) host generates by itself. As I write > this, I'm starting to wonder if NAT66 isn't the better solution anyway > since it's (kind-of) inherently unidirectional. > > Oh, and in case anyone's wondering - this is all because a) VMware > NSX 6.0 supports IPv6, but neglects to include any form of NAT or NPT > or outbound proxy; and b) OVH, even in their private cloud offering > (which is where the VMware NSX 6.0 comes in!), will not route public > IP address space to a VLAN behind my firewall... which works for IPv4 > ("just use NAT!"), but not so well for IPv6. And I need IPv6 on the > protected hosts. *sigh* If anyone reading this thinks they can see a > better way around this pair of problems, please let me know. It doesn't sound like you need RFC 6296 or even any kind of NPT for this, simply natting to a single address fits these requirements. Personally I'd try the bitmask nat first, if it works with their setup then all is good, if not then you have an easy fallback.
