Asking for feedback: [PATCH] fw4: add masquerade-prefix snat type

Goetz Goerisch ggoerisch at gmail.com
Thu Feb 27 23:44:28 PST 2025 

Thank you Jonas for the initiative.

For Multi-Homing and Load-balacing scenarios I was always looking into
RFC8678 [1] or RFC8475 [2].
But as you mentioned there is no support in OpenWrt or mwan3 as of today.

Therefore I would be interested in a solution, nevertheless I have no
deployment and test possibilities at the moment.

Did you discuss the deployment scenario elsewhere, e.g. Ripe IPv6 WG?

Goetz

[1] https://datatracker.ietf.org/doc/rfc8678/
[2] https://datatracker.ietf.org/doc/rfc8475/

Am Do., 27. Feb. 2025 um 20:42 Uhr schrieb Jonas Lochmann
<openwrt at jonaslochmann.de>:
>
> On Thu, Feb 27, 2025 at 11:49:10AM +0100, Bjørn Mork wrote:
> > But this is mostly pointing back to the first issue: Why is it that we
> > need a feature which is so weird and unique to OpenWrt that it has never
> > been described before?
>
> Because this solves a problem where no solution exists yet. The following is
> based on search results for the term "ipv6 multiwan".
>
> RFC 8678 described the solution of using source address based routing [1].
> This supports a failover, but this method is not supported by the mwan3
> package. This has the limitation that a load balancing is not possible. It
> mentions NPTv6 and Multipath Transports as other possible solutions.
>
> A Reddit discussion talks about the failover scenario [2]. NPTv6 is
> discussed along with its disadvantages in practice - limited support in
> products (not supported at all or only with static prefixes). Another
> discussion is the one about using global addresses or ULA addresses in
> the private network for this.
>
> The documentation of PfSense states for multiwan with IPv6 that "This
> [Network Prefix Translation] does not work for dynamic IPv6 types where
> the subnet is not static, such as DHCP6-PD." [3] This document states
> that this can be used with global or local addresses in the lan. As far
> as I know, providing both in the lan will cause trouble. In the forum,
> someone asks about other solutions but without any reply [4].
>
> For OPNsense, someone wrote a tutorial (in german only) and just
> skipped IPv6 [5]. The reason: IPv4 is for a failover enough. Sadly, the
> date of this article is not clearly visible, but the year 2022 is
> mentioned.
>
> In the Unify forum, there is a post about a failover function that
> seems to ignore IPv6 [6]. The post is two years old, but the last
> comment stating the issue still exists is 5 months old. Another
> post [7] describes using NPT but it looks manual and with hardcoding
> the prefixes. It uses local addresses within the lan.
>
> So the stateless NPT requires using one single prefix in the lan
> (limitation 1). To avoid side effects on traffic to the other uplink if
> one uplink obtains a new prefix, the local addresses must be used
> (limitation 2). It requires prefixes of the same size for the internal
> network and the uplinks (limitation 3). Using my approach, these
> limitations do not exist. It looks like this approach is not implemented
> anywhere yet. As a result, there is no well known name for it.
>
> The downside of this method: it is stateful. However, a multiwan with
> load balancing is stateful and a stateful firewall that is normally used
> at the border of a network is stateful too.
>
> An alternative to my approach would be a dynamic NPT in OpenWrt that
> uses the assigned prefixes from the uplinks. This would be similar to
> my patch but the mentioned limitations would apply.
>
> [1] https://datatracker.ietf.org/doc/rfc8678/
> [2] https://www.reddit.com/r/ipv6/comments/10odci9/is_there_still_no_good_ipv6_wan_failover_solution/
> [3] https://docs.netgate.com/pfsense/en/latest/recipes/multiwan-ipv6.html
> [4] https://forum.netgate.com/topic/188052/is-there-a-clear-and-complete-recipe-for-ipv6-multi-wan
> [5] https://www.heimnetz.de/anleitungen/firewall/opnsense/opnsense-multi-wan-einrichten/
> [6] https://community.ui.com/questions/Dual-WAN-IPv6-Failover-and-Traffic-Routing-UDM-Pro/8c46d2bb-9aba-422b-ad2d-c78d6a7d5bcb
> [7] https://community.ui.com/questions/Dual-WAN-IPv6-setup/1c2d7fe2-3bc3-42b1-b9bf-b7d36bc9f9cc
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list