Asking for feedback: [PATCH] fw4: add masquerade-prefix snat type

Thu Feb 27 09:39:34 PST 2025

On Thu, Feb 27, 2025 at 11:49:10AM +0100, Bjørn Mork wrote:
> But this is mostly pointing back to the first issue: Why is it that we
> need a feature which is so weird and unique to OpenWrt that it has never
> been described before?

Because this solves a problem where no solution exists yet. The following is
based on search results for the term "ipv6 multiwan".

RFC 8678 described the solution of using source address based routing [1].
This supports a failover, but this method is not supported by the mwan3
package. This has the limitation that a load balancing is not possible. It
mentions NPTv6 and Multipath Transports as other possible solutions.

A Reddit discussion talks about the failover scenario [2]. NPTv6 is
discussed along with its disadvantages in practice - limited support in
products (not supported at all or only with static prefixes). Another
discussion is the one about using global addresses or ULA addresses in
the private network for this.

The documentation of PfSense states for multiwan with IPv6 that "This
[Network Prefix Translation] does not work for dynamic IPv6 types where
the subnet is not static, such as DHCP6-PD." [3] This document states
that this can be used with global or local addresses in the lan. As far
as I know, providing both in the lan will cause trouble. In the forum,
someone asks about other solutions but without any reply [4].

For OPNsense, someone wrote a tutorial (in german only) and just
skipped IPv6 [5]. The reason: IPv4 is for a failover enough. Sadly, the
date of this article is not clearly visible, but the year 2022 is
mentioned.

In the Unify forum, there is a post about a failover function that
seems to ignore IPv6 [6]. The post is two years old, but the last
comment stating the issue still exists is 5 months old. Another
post [7] describes using NPT but it looks manual and with hardcoding
the prefixes. It uses local addresses within the lan.

So the stateless NPT requires using one single prefix in the lan
(limitation 1). To avoid side effects on traffic to the other uplink if
one uplink obtains a new prefix, the local addresses must be used
(limitation 2). It requires prefixes of the same size for the internal
network and the uplinks (limitation 3). Using my approach, these
limitations do not exist. It looks like this approach is not implemented
anywhere yet. As a result, there is no well known name for it.

The downside of this method: it is stateful. However, a multiwan with
load balancing is stateful and a stateful firewall that is normally used
at the border of a network is stateful too.

An alternative to my approach would be a dynamic NPT in OpenWrt that
uses the assigned prefixes from the uplinks. This would be similar to
my patch but the mentioned limitations would apply.

[1] https://datatracker.ietf.org/doc/rfc8678/
[2] https://www.reddit.com/r/ipv6/comments/10odci9/is_there_still_no_good_ipv6_wan_failover_solution/
[3] https://docs.netgate.com/pfsense/en/latest/recipes/multiwan-ipv6.html
[4] https://forum.netgate.com/topic/188052/is-there-a-clear-and-complete-recipe-for-ipv6-multi-wan
[5] https://www.heimnetz.de/anleitungen/firewall/opnsense/opnsense-multi-wan-einrichten/
[6] https://community.ui.com/questions/Dual-WAN-IPv6-Failover-and-Traffic-Routing-UDM-Pro/8c46d2bb-9aba-422b-ad2d-c78d6a7d5bcb
[7] https://community.ui.com/questions/Dual-WAN-IPv6-setup/1c2d7fe2-3bc3-42b1-b9bf-b7d36bc9f9cc