Netgate is offering COVID-19 aid for pfSense software users, learn more.
Multi-WAN for IPv6¶
Multi-WAN can be utilized with IPv6 provided that the firewall is connected to multiple ISPs or tunnels with static addresses.
See Connecting with a Tunnel Broker Service for help setting up a tunnel.
Gateway Groups work the same for IPv6 as they do for IPv4, but address families cannot be mixed within a group. A group must contain either only IPv4 gateways, or only IPv6 gateways.
Throughout this section “Second WAN” refers to the second or additional interface with IPv6 connectivity. It can be an actual interface that has native connectivity, or a tunnel interface when using a tunnel broker.
In most cases, NAT is not used with IPv6 in any capacity as everything is routed. That is great for connectivity and for businesses or locations that can afford Provider Independent (PI) address space and a BGP peering, but it doesn’t work in practice for small business and home users.
Network Prefix Translation (NPt) allows one subnet to be used for LAN which has full connectivity via its native WAN, but also has translated connectivity on the additional WANs so it appears to originate there. While not true connectivity for the LAN subnet via the alternate paths, it is better than no connectivity at all if the primary WAN is down.
This does not work for dynamic IPv6 types where the subnet is not static, such as DHCP6-PD.
To setup Multi-WAN for IPv6 the firewall must have:
IPv6 connectivity with static addresses on two or more WANs
Gateways added to System > Routing for both IPv6 WANs, and confirmed connectivity on both.
A routed /64 from each provider/path
LAN using a static routed /64 or similar
The setup for IPv6 Multi-WAN is very close to the setup for IPv4. The main difference is that it uses NPt instead of NAT.
First, under System > Routing on the Gateway Groups tab, add Gateway Groups for the IPv6 gateways, with the tiers setup as desired. This works identically to IPv4.
Next, navigate to System > General and set one IPv6 DNS server set for each IPv6 WAN, also identically to IPv4.
Now add an NPt entry under Firewall > NAT on the NPt tab, using the following settings:
Secondary WAN (or tunnel if using a broker)
- Internal IPv6 Prefix
The LAN IPv6 subnet
- Destination IPv6 Prefix
The second WAN routed IPv6 subnet
This is not the /64 of the WAN interface itself – it is the /64 routed to the firewall on that WAN by the upstream.
What this does is akin to 1:1 NAT for IPv4, but for the entire subnet. As traffic leaves the second WAN, if it is coming from the LAN subnet, it will be translated to the equivalent IP address in the other subnet.
For example if the firewall has
2001:xxx:yyy::/64 on LAN, and
2001:aaa:bbb::/64 on the second WAN, then
2001:xxx:yyy::5 would appear
2001:aaa:bbb::5 if the traffic goes out the second WAN. For more
information on NPt, see IPv6 Network Prefix Translation (NPt).
As with IPv4, the Gateway Groups must be used on LAN firewall rules. Edit the LAN rules for IPv6 traffic and set them use the gateway group, making sure to have rules for directly connected subnets/VPNs without a gateway set so they are not policy routed.
Some users prefer to configure LAN with a “private” IPv6 subnet from the
fc00::/7 space and setup NPt for both WANs.