Multi-WAN for IPv6

With pfSense 2.1 you can do Multi-WAN with IPv6 provided that you have multiple ISPs or tunnels setup and working. See Using IPv6 on 2.1 with a Tunnel Broker if you need help setting up a tunnel.

Throughout this document "Second WAN" refers to the second or additional interface with IPv6 connectivity. It might be your "real" interface if you have native connectivity, or a tunnel if you are using a tunnel broker. Keep that in mind, as it will make understanding the rest of this easier.

IPv6 Multi-WAN Caveats

Traditionally with IPv6 you do not do NAT, as everything is routed. That's great for connectivity, and for businesses or locations that can afford PI space and a BGP peering. It doesn't work so well in practice for home users.

Network Prefix Translation (NPt) will allow you to use one subnet for your LAN and have full connectivity with that subnet via its "native" WAN, and also have it translated on the additional WANs so it appears to originate there. While not "true" connectivity for the LAN subnet via that path, it is better than no connectivity at all if your primary WAN is down.

This may not work at all for completely dynamic IPv6 types where the subnet is not static. (DHCP-PD, etc)

Requirements

To setup Multi-WAN for IPv6 you need:

• Two WANs, and IPv6 connectivity setup on them.
• Gateways added to System > Routing for both, and confirmed connectivity on both.
• LAN using a static routed /64 or similar

Setup

• Under System > Routing on the Gateway Groups tab, add Gateway Groups for the V6 gateways, this works just like IPv4 in Multi-WAN on 2.0.x
• Under System > General, ensure you have an IPv6 DNS server set for each IPv6 WAN. Again, just like IPv4
• Add an NPt entry under Firewall > NAT on the NPt tab:
  • Interface: Secondary WAN (or tunnel if using a broker)
  • Internal IPv6 Prefix: Your LAN IPv6 subnet
  • Destination IPv6 Prefix: Your second WAN's routed IPv6 subnet (not the /64 of the WAN interface itself -- the /64 routed to you on that WAN by the upstream)

What this does is like 1:1 NAT for IPv4. As traffic leaves the second WAN, if it's coming from the LAN subnet, it will be translated to the equivalent IP in the other subnet. For example if you have 2001:xxx:yyy::/64 on your LAN, and 2001:aaa:bbb::/64 on your second WAN, then 2001:xxx:yyy::5 would appear as 2001:aaa:bbb::5 if the traffic goes out the second WAN.

• As with IPv4 you need to use the Gateway Groups on your LAN firewall rules. Edit your LAN rules for IPv6 traffic and make them use the gateway group, making sure to have rules for directly connected subnets/VPNs without a gateway set so they are not policy routed. More information on that is on the Multi-WAN 2.0 page.

Alternate Tactics

Some may prefer to use a "private" IPv6 subnet in LAN from the fc00::/7 space, and setup NPt for both WANs.