Ipv6 to ipv6 isec tunnel

Hello @devashish,

The working configuration I use in the network lab:

set firewall ipv6-name FIREWALL_OUT_IPV6 rule 5 action 'accept'
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 5 description 'RDP'
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 5 destination address 'fd00:2222:2222:2222:70b0:1ba6:152f:2a16'
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 5 destination port '3389'
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 5 protocol 'tcp'
set interfaces ethernet eth0 address '2001:1111:1111:1111::20/24'
set interfaces ethernet eth1 address 'fd00:2222:2222:2222::1/64'
set interfaces ethernet eth1 firewall out ipv6-name 'FIREWALL_OUT_IPV6'
set nat66 destination rule 30 description 'wsrv150'
set nat66 destination rule 30 destination address '2001:1111:1111:1111::20'
set nat66 destination rule 30 destination port '9292'
set nat66 destination rule 30 inbound-interface 'eth0'
set nat66 destination rule 30 protocol 'tcp'
set nat66 destination rule 30 translation address 'fd00:2222:2222:2222:70b0:1ba6:152f:2a16'
set nat66 destination rule 30 translation port '3389'
set nat66 source rule 1000 destination prefix '!fd00:1111:1111:1111::/64'
set nat66 source rule 1000 outbound-interface 'eth0'
set nat66 source rule 1000 source prefix 'fd00:2222:2222:2222::/64'
set nat66 source rule 1000 translation address '2001:1111:1111:1111::20'

hello Volodya

can you please confirm which IP you have taken as Public IP and which IP you taken as Private IP because as i checked i have found 3 IP series on your whole configuration that is :-

2001:1111:1111:1111::20
fd00:1111:1111:1111::/64
fd00:2222:2222:2222::/64

2001:1111:1111:1111::20 - Public IPv6 address;
fd00:1111:1111:1111::/64 - don’t pay attention to the address, I tested the exclude in rule 1000 nat 66;
fd00:2222:2222:2222::/64 - Private IPv6 address.
fd00:2222:2222:2222:70b0:1ba6:152f:2a16 - Test computer to which I connect via RDP (3389)

Hello Volodya

As per your suggestion now my configuration is look like as yours , but still i am not able to access RDP via port 9296

Eth1 Public IPv6 = 6407:dfc0:1::90
Eth2 Private IPv6 = fdeb:b39a:29f8:bfd5:0000:0000:0000:41

set firewall ipv6-name FIREWALL_OUT_IPV6 rule 30 action ‘accept’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 30 description ‘RDP’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 30 destination address ‘fdeb:b39a:29f8:bfd5:0000:0000:0000:41’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 30 destination port ‘3389’
set firewall ipv6-name FIREWALL_OUT_IPV6 rule 30 protocol ‘tcp’
set nat66 destination rule 30 description ‘wsrv150’
set nat66 destination rule 30 destination address ‘‘6407:dfc0:1::90’
set nat66 destination rule 30 destination port ‘9296’
set nat66 destination rule 30 inbound-interface ‘eth1’
set nat66 destination rule 30 protocol ‘tcp’
set nat66 destination rule 30 translation address ‘fdeb:b39a:29f8:bfd5:0000:0000:0000:41’
set nat66 destination rule 30 translation port ‘3389’
set nat66 source rule 30 destination prefix ‘!fd00:1111:1111:1111::/64’
set nat66 source rule 30 outbound-interface ‘eth1’
set nat66 source rule 30 source prefix ‘fdeb:b39a:29f8:bfd5::/64’
set nat66 source rule 30 translation address ‘‘6407:dfc0:1::90’

Hello volodya

I hope you are doing well

As today i tried to install the latest nightly-builds 202211120317 version of vyos and i checked iam not able to verify arp table for ipv6 and and below two commands also not working as the earlier version it was working.

#set interfaces ethernet eth1 firewall in ipv6-name ‘FIREWALL_IN_IPV6’

#set interfaces ethernet eth2 firewall out ipv6-name ‘FIREWALL_OUT_IPV6’

Please help me to resolve this issue and let us know is it possible to configure NAT64 in this version of vyos.

Firewall was re-written, and now attaching rulesets to interfaces is done under firewall section, and not under interface section. Doc was already updated: Firewall — VyOS 1.4.x (sagitta) documentation
In your config:

set firewall interface eth1 in ipv6-name FIREWALL_IN_IPV6
set firewall interface eth2 out ipv6-name FIREWALL_OUT_IPV6

NAT64 still not supported.

IPv6 doesn’t use ARP by protocol design

Dear Fort

Please let us know how to configure Port forwarding in ipv6 because i configure the below commands but its not working , is there any other commands which i missed or please share the exact working configuration.

Public Ipv6 address = 2307:e4c0:3::85
Private Ipv6 address = fdeb:b39a:29f8:bfd5::41

set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 action ‘accept’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 description ‘wsrv150’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 destination address ‘fdeb:b39a:29f8:bfd5::41’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 destination port ‘3389’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 log ‘disable’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 protocol ‘tcp’
set nat66 destination rule 30 description ‘DNAT for wsrv150-ind - One To One’
set nat66 destination rule 30 destination address ‘2307:e4c0:3::85’
set nat66 destination rule 30 destination port 9296
set nat66 destination rule 30 inbound-interface ‘any’
set nat66 destination rule 30 protocol tcp
set nat66 destination rule 30 translation address ‘fdeb:b39a:29f8:bfd5::41’
set nat66 destination rule 30 translation port 3389
set nat66 source rule 30 description ‘SNAT wsrv150’
set nat66 source rule 30 outbound-interface eth1
set nat66 source rule 30 protocol all
set nat66 source rule 30 source prefix fdeb:b39a:29f8:bfd5::41/128
set nat66 source rule 30 translation address 2307:e4c0:3::85

I think there’s a bug in nat66 for port translations. We are checking it, and will update it in phabricator

Dear fort

actually mr volodya on trail chat gave me the configuration for port forwarding but that configuration was also not working and i also shared my configuration to him. please check once on trail chat.

So how long we can expect that Port forwarding and port translation and NAT64 will come in the newly created version of vyos??

Please try changing:

## This command
set nat66 destination rule 30 translation address ‘fdeb:b39a:29f8:bfd5::41’
## Changed it
set nat66 destination rule 30 translation address ‘fdeb:b39a:29f8:bfd5:0:0:0:41’

Dear Fort

we have change the same but nothing happens. Please help us or providing the working port forwarding configuration for ipv6.
below are my current configuration.

set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 action ‘accept’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 description ‘wsrv150’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 destination address ‘fdeb:b39a:29f8:bfd5:0:0:0:41’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 destination port ‘3389’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 log ‘disable’
set firewall ipv6-name FIREWALL_IN_IPV6 rule 30 protocol ‘tcp’
set nat66 destination rule 30 description ‘DNAT for wsrv150-ind - One To One’
set nat66 destination rule 30 destination address ‘2307:e4c0:3::85’
set nat66 destination rule 30 destination port 9296
set nat66 destination rule 30 inbound-interface ‘any’
set nat66 destination rule 30 protocol tcp
set nat66 destination rule 30 translation address ‘fdeb:b39a:29f8:bfd5:0:0:0:41’
set nat66 destination rule 30 translation port 3389
set nat66 source rule 30 description ‘SNAT wsrv150’
set nat66 source rule 30 outbound-interface eth1
set nat66 source rule 30 protocol all
set nat66 source rule 30 source prefix fdeb:b39a:29f8:bfd5::41/128
set nat66 source rule 30 translation address 2307:e4c0:3::85

Try to replace all :: as it seems it cannot correctly determine the host part when you use port

@n.fort @Viacheslav
thanks for the response, now port forwarding is working

Could you create a bug report at phabricator? I guess it should be by default :slight_smile:

Created: ⚓ T4830 nat66 - Error in port translation rules

sure i will create the same and share with you ,

But i need to one more thing in vyos , can we configure HA ???

Actually i configured VRRP on 2 firewall , one is master and other is backup

when one is down other will take the responsibility but only the interface IPs are sync not the whole configuration like port forwarding rules , any policy rules or ipsec configuration ,etc.

i want that over all configuration will be sync on secondary firewall when first firewall will be down

do you have the configuration for the same, Please share with us

Regarding NAT issue, in latest build it should be fixed, and now you should be able to use :: in ipv6 addresses.
Regarding HA: migration of configuration is not supported. For advanced setups. you’ll need to work on custom scripts executed during state transitions: High availability — VyOS 1.4.x (sagitta) documentation

hello n fort

i hope you are doing well

i have one concern iam using VRRP

when using VRRP iam facing one problem

below are my configuration :-

set high-availability vrrp group Green_interface interface ‘eth2’
set high-availability vrrp group Green_interface priority ‘100’
set high-availability vrrp group Green_interface rfc3768-compatibility
set high-availability vrrp group Green_interface virtual-address ‘10.10.0.1/16’
set high-availability vrrp group Green_interface vrid ‘10’
set high-availability vrrp group Red_interface interface ‘eth1’
set high-availability vrrp group Red_interface priority ‘100’
set high-availability vrrp group Red_interface rfc3768-compatibility
set high-availability vrrp group Red_interface virtual-address ‘103.110.88.238/24’
set high-availability vrrp group Red_interface vrid ‘10’

currently my vrrp status is below like this -

Name Interface VRID State Last Transition


Green_interface eth2v10 10 MASTER 28m19s
Red_interface eth1v10 10 MASTER 43m30s

my concern is if one of my interface goes down then only that interface become master on my backup firewall like below
vyos@i2k2-nod-az1-fw1-v39:~$ sh vrrp
Name Interface VRID State Last Transition


Green_interface eth2v10 10 MASTER 5m56s
Red_interface eth1v10 10 FAULT 27s

now because of this my Red interface which is the source of internet for server is master on secondary firewall and my green interface which is the gateway address for server is master on primary firewall

now due to this iam not able to run internet on my server , is there any solution for this

@devashish
Try to use Sync groups.