Netgate is offering COVID-19 aid for pfSense software users, learn more.
IPv6 Network Prefix Translation (NPt)¶
Network Prefix Translation, or NPt for short, works similarly to 1:1 NAT but operates on IPv6 addresses instead. NPt can be found under Firewall > NAT on the NPt tab.
NPt takes one prefix and translates it to another. So
2001:db8:3333:4444::/64 and though the
prefix changes, the remainder of the address will be identical for a given host
on that subnet.
There are a few purposes for NPt, but many question its actual usefulness. With
NPt, “private” IPv6 space (
fc00::/7) can be utilized on a LAN and it can be
translated by NPt to a public, routed, IPv6 prefix as it comes and goes through
a WAN. The utility of this is debatable. One use is to avoid renumbering the LAN
if external providers change, however since anything external that looked for
the old prefix must also be adjusted, the usefulness of that can go either way,
especially when the configuration must account for avoiding collisions in the
fc00::/7 space for VPN tunnels.
NPt makes perfect sense for SOHO IPv6 Multi-WAN deployments. The likelihood that
a home or small business end user will have their own provider-independent IPv6
space and a BGP feed is very small. In these cases, the firewall can utilize a
routed prefix from multiple WANs to function similarly to Multi-WAN on IPv4. As
traffic leaves the second WAN sourced from the LAN subnet, NPt will translate it
to the equivalent IP address in the routed subnet for that WAN. The LAN can
either use one of the routed prefixes and do NPt on the other WANs, or use
fc00::/7 and do NPt on all WANs. We recommend avoiding use of
fc00::/7 space for this task. For more information on Multi-WAN with
IPv6, see Multi-WAN for IPv6.
When adding an NPt entry, there are few options to consider as NPt is fairly basic:
Toggles whether this rule is actively used.
Selects the Interface where this NPt rule takes effect as the traffic exits.
- Internal IPv6 Prefix
The local (e.g. LAN) IPv6 subnet and prefix length, typically the
/64on LAN or other internal network.
- Destination IPv6 Prefix
The routed external IPv6 subnet and prefix length to which the Internal IPv6 Prefix will be translated. This is NOT the prefix of the WAN itself. It must be a network routed to this firewall via Interface
A brief description of the purpose for this entry.
Figure NPt Example shows an NPt rule where the LAN IPv6 subnet
2001:db8:1111:2222::/64 will be translated to
it leaves the HENETV6DSL interface.