On Mon, 10 Apr 2023, Jeremy Ardley wrote:
On 10/4/23 11:02, Tim Woodall wrote:
My firewall has a single /128 acquired via SLAAC and the RA from the
router. My entire network is masqueraded through that single IP.
What does the RA contain? Typically on connection to an IPv6 capable ISP
you will get assigned a single /128 from their range and granted a complete
routable range at least /64 for you to use.
The interface between the router and the ISP will typically use the router
fe80 to connect upstream but it will also have the /128 to use. The router
should be able to route the /64 without NAT. If it can't then time for a
new router.
I want to be able to put a firewall in front of the router. But there's
no way to get any traffic out of the router and into my network other
than that addressed to my firewalls /128
The router doesn't even attempt to see if a host exists if a packet to a
new ip arrives.