IPv6 Network Prefix Translation (NPt)¶

Network Prefix Translation, or NPt for short, works similarly to 1:1 NAT but operates on IPv6 prefixes instead. NPt can be found under Firewall > NAT on the NPt tab.

NPt takes one prefix and translates it to another. So 2001:db8:1111:2222::/64 becomes 2001:db8:3333:4444::/64 and though the prefix changes, the remainder of the address will be identical for a given host on that subnet.

Warning

NPt on pfSense software does NOT function like traditional outbound/overload NAT/PAT. NPt cannot be used to map an internal prefix to a different size prefix or single address in use on a WAN, it must be used with a routed prefix. That type of translation is possible with outbound NAT rules.

NPt on pfSense software also does not function like NPT66 (RFC 6296), which also changes the host portion using specific mathematical rules so it does not change packet checksums. NPt on pfSense software is stateful and maintains the host portion of the address when translating.

There are a few purposes for NPt. With NPt, a LAN can utilize “private” IPv6 space (fc00::/7) and it can be translated by NPt to a public, routed, IPv6 prefix as it comes and goes through a WAN. This can help to avoid renumbering the LAN if external providers change, however since anything external that looked for the old prefix must also be adjusted, the usefulness of that can go either way, especially when the configuration must account for avoiding collisions in the fc00::/7 space for VPN tunnels.

NPt is useful for SOHO IPv6 Multi-WAN deployments. The likelihood that a home or small business end user will have their own provider-independent IPv6 space and a BGP feed is very small. In these cases, the firewall can utilize a routed prefix from multiple WANs to function similarly to Multi-WAN on IPv4. As traffic leaves the second WAN sourced from the LAN subnet, NPt will translate it to the equivalent IP address in the routed subnet for that WAN. The LAN can either use one of the routed prefixes and do NPt on the other WANs, or use addresses in fc00::/7 and do NPt on all WANs. The best practice is to avoid using the fc00::/7 space for this task. For more information on Multi-WAN with IPv6, see Configuring Multi-WAN for IPv6.

When adding an NPt entry, there are few options to consider as NPt is fairly basic:

Disabled:: Toggles whether this rule is actively used.
Interface:: Selects the Interface where this NPt rule takes effect as the traffic exits.
Source IPv6 Prefix:: The local (e.g. LAN) IPv6 subnet and prefix length, typically the /64 on LAN or other internal network.
Destination IPv6 Prefix:: The routed external IPv6 subnet and prefix length to which the Internal IPv6 Prefix will be translated. This is NOT the prefix of the WAN itself. It must be a network routed to this firewall via Interface
Description:: A brief description of the purpose for this entry.

Figure NPt Example shows an NPt rule where the LAN IPv6 subnet 2001:db8:1111:2222::/64 will be translated to 2001:db8:3333:4444::/64 as it leaves the HE_CABLE interface.