Hi Amos, Assuming the network segments adjacent to these stateful devices use longest prefix match routing, NPTv6 is your best option.You'd assign a unique IPv6 prefix as the NPTv6 prefix to each firewall, ensuring the traffic returns to the correct firewall.
Keep in mind each stateful firewall is a single point of failure for the flows it handles. When it inevitably goes down ( maintenance or failure), all those flows will have to be re-established through other firewalls. Also, depending on how the clients are configured with connection timeouts, the users could experience a noticeable amount of service disruption. It's possible to have firewalls in a cluster sharing state, but I consider them to be a single logical device with its own failure profile. In that scenario I would be inclined to deploy multiple redundant clusters; without knowing your budget I don't know how feasible this is. —"Shared state, shared fate." I wouldn't use NAPT66 unless you need to do something really bespoke. Introducing port translation complicates end-to-end connectivity, and adds more latency and issues for applications like VoIP. To dive a little deeper, I'd reevaluate the requirement for the firewalls to be stateful. Are there any specific threats or attack vectors you want to address with stateful flow tracking? Best, Josh >
