IPv6 and NAT

Though IPv6 removes most any need for NAT, there are rare situations that call for the use of NAT with IPv6 such as Multi-WAN for IPv6 on residential or small business networks.

IPv6 all but eliminates the need for traditional port translated NAT (PAT) where internal addresses are translated using ports on a single external IP address.

Outbound NAT

While it is possible to perform Outbound NAT on IPv6 traffic, the best practice is to allow IPv6 traffic to pass without performing any address or port translation.

Prefix Translation (1:1 NAT)

It is possible to translate one IPv6 prefix to another, which is Network Prefix Translation (NPt). This is available in the pfSense® software WebGUI under Firewall > NAT on the NPt tab. For example, NPt can translate 2001:db8:1111:2222::/64 to 2001:db8:3333:4444::/64 while maintaining the host portion of the address. For more on NPt, see IPv6 Network Prefix Translation (NPt).

NAT64

pfSense software includes support for NAT64 which is useful as a transition mechanism to allow IPv6-only hosts access to IPv4-only resources. Several different functions must be configured for a full NAT64 configuration. See NAT64 and Configuring NAT64 for IPv6-only Clients for details.

IPv4 Mapped Addresses

There is also a mechanism built into IPv6 to access IPv4 hosts using a special address notation, such as ::ffff:192.168.1.1. The behavior of these addresses can vary between OS and application and can be unreliable.