IPv6 - Network Prefix Translation

Security Gateway Discussions
Post Reply
bonnet
Posts: 3
Joined: 06 Mar 2015, 12:43

IPv6 - Network Prefix Translation

Post by bonnet » 05 Jun 2020, 18:24

Hi,

Can we do Network Prefix Translation on SG appliance?
I see pfsense can do it (https://docs.netgate.com/pfsense/en/lat ... n-npt.html).

We have many WAN connections and many servers with inbound connections from Internet. I would like to change my ISP without changing all IPs on servers.

For exemple :
ISP A with prefix 2001:DB8:A::/48
ISP B with prefix 2001:DB8:B::/48

So my server will have those IPs with automatic configuration:
fe80::0201:02FF:FE03:0405
2001:DB8:A::0201:02FF:FE03:0405
2001:DB8:B::0201:02FF:FE03:0405

I want to manually add an anycast IP on both ISP like:
2001:DB8:A::2001
2001:DB8:B::2001

If I change my ISP, I don't want to change all manual anycast IP on all servers. So I think, the best practice may be setting this manual IP on the server:
FE00:1000::2001

And add on SG appliance a network prefix translation like:
2001:DB8:A::/48 to FE00:1000::/48
2001:DB8:B::/48 to FE00:1000::/48

And if one day I add or change one ISP, I just need to change a network prefix translation on the appliance without reconfiguration of all servers.

Best regards,

Peter
Posts: 690
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Re: IPv6 - Network Prefix Translation

Post by Peter » 29 Jun 2020, 07:30

Hello.

Unfortunately i don't think this would be possible in the current version of the Firewall (we are currently at version 13.00.06). The main reason for that is due to the lack of IPv6 address translation capabilities.

The only alternative i can think of at the moment would be to use DHCPv6 in order to hand out leases to the clients with the new range. But if the clients/servers are configured with static IP that would be.... problematic.

Best regards
/Peter

Post Reply