Setup

The setup for IPv6 Multi-WAN is very close to the setup for IPv4. The main difference is that it uses NPt instead of NAT.

First, under System > Routing on the Gateway Groups tab, add Gateway Groups for the IPv6 gateways, with the tiers setup as desired. This works identically to IPv4.

Next, navigate to System > General and set one IPv6 DNS server set for each IPv6 WAN, also identically to IPv4. Now add an NPt entry under Firewall > NAT on the NPt tab, using the following settings:

Interface Secondary WAN (or tunnel if using a broker)

Internal IPv6 Prefix The LAN IPv6 subnet

Destination IPv6 Prefix The second WAN routed IPv6 subnet

Note: This is not the /64 of the WAN interface itself – it is the /64 routed to the firewall on that WAN by the upstream.

What this does is akin to 1:1 NAT for IPv4, but for the entire subnet. As traffic leaves the second WAN, if it is coming from the LAN subnet, it will be translated to the equivalent IP address in the other subnet.

For example if the firewall has 2001:xxx:yyy::/64 on LAN, and 2001:aaa:bbb::/64 on the second WAN, then 2001:xxx:yyy::5 would appear as 2001:aaa:bbb::5 if the traffic goes out the second WAN. For more information on NPt

As with IPv4, the Gateway Groups must be used on LAN firewall rules. Edit the LAN rules for IPv6 traffic and set them use the gateway group, making sure to have rules for directly connected subnets/VPNs without a gateway set so they are not policy routed.

© Copyright 2025 . All Rights Reserved. AZTCO-FW| Developed By AZTCO-FW. Powered by AZTCO.