Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

IPv6 Multihome - 2 connections - /48 Prefix NAT/Rewrite -- Is this correct?

GMPGMP Newbie ✭

The company has 2 ISP connections, with different firewalls. The two connections have different IPv6 /48 networks. In other words, the /48 prefix needs to be translated at one ISP connection. Is the following NAT rule pair correct?

The external NW is 2001:aaaa:bbbb::/48. The internal NW is 2001:cccc:dddd::/48. (made up to hide real numbers.) X0 and X1 are the LAN and WAN interfaces, respectively.

Thanks


Category: High End Firewalls
Reply
Tagged:

Answers

  • TKWITSTKWITS All-Knowing Sage ✭✭✭✭

    Though I do not have experience with business class ISPs providing IPv6 connectivity, it is my understanding of IPv6 that you should not need to NAT with it. NAT-ing was created to get around the numerical limitations of IPv4 addressing exacerbated by the constantly increasing number of connections to the public internet.

    read more: https://en.wikipedia.org/wiki/IPv4_address_exhaustion

    Your configuration in theory looks correct. I do wonder what you are trying to accomplish, and what about the other ISP?

  • SaravananSaravanan Moderator

    Hi @GMP,

    Thank you for visiting SonicWall Community.

    Your first NAT policy for outgoing looks right. The second one for incoming access needs modification. I have provided the modified policy below,

    Source: Any

    Translated Source: Original

    Destination: 2001:aaaa:bbbb::/48

    Translated Destination: 2001:cccc:dddd::/48

    Service: Any

    Translated Service: Original

    Inbound Interface: X1

    Outbound Interface: Any

    In addition to the above inbound NAT policy, you should also have a WAN to LAN or respective zone access rule. The rule may resemble as the one shown below.

    WAN to LAN or Corresponding Internal Zone access rule:

    Action: Allow

    Source Port: Any

    Service: Any

    Source: Any

    Destination: 2001:aaaa:bbbb::/48

    Hope this helps.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • GMPGMP Newbie ✭

    Thank you SARAVANAN for noticing my oversight. You are right, the NAT should be SOURCE on instance and DESTINATION on the other.

    Thank you, TKWITS, for your note. The BEST solution is to apply for an ASN and acquire a /44 network from ARIN. BGP would be used to advertise the network, appropriately, at each SonicWall internet connection.

    The company is adding IPv6 carefully to avoid breaking the working network. There are two internet connections to our ISP. At this time, 2001:cccc:dddd::/48 is defined at one internet connection. The other internet connection is IPv4 only. If IPv6 was defined at the second connection, I expect the /48 would be different, e.g. 2001:aaaa:bbbb::/48. The response from SARAVANAN V leads me to believe the the prefix could be rewritten, as needed.

    Note: the aaaa ... dddd phrases are meant to stand in for the actual IP addresses.

    Thanks

Sign In or Register to comment.