IPv6 and NAT¶
Though IPv6 removes most any need for NAT, there are rare situations that call for the use of NAT with IPv6 such as Multi-WAN for IPv6 on residential or small business networks.
IPv6 all but eliminates the need for traditional port translated NAT (PAT) where internal addresses are translated using ports on a single external IP address.
Outbound NAT¶
While it is possible to perform Outbound NAT on IPv6 traffic, the best practice is to allow IPv6 traffic to pass without performing any address or port translation.
Prefix Translation (1:1 NAT)¶
It is possible to translate one IPv6 prefix to another, which is Network Prefix
Translation (NPt). This is available in the pfSense® software WebGUI under
Firewall > NAT on the NPt tab. For example, NPt can translate
2001:db8:1111:2222::/64
to 2001:db8:3333:4444::/64
while maintaining the
host portion of the address. For more on NPt, see IPv6 Network Prefix Translation (NPt).
NAT64¶
pfSense software includes support for NAT64 which is useful as a transition mechanism to allow IPv6-only hosts access to IPv4-only resources. Several different functions must be configured for a full NAT64 configuration. See NAT64 and Configuring NAT64 for IPv6-only Clients for details.
IPv4 Mapped Addresses¶
There is also a mechanism built into IPv6 to access IPv4 hosts using a special
address notation, such as ::ffff:192.168.1.1
. The behavior of these
addresses can vary between OS and application and can be unreliable.