NPTv6 not working with dual-WAN PPPoE setup on VyOS 1.5-stream-2025-Q1

General questions
, , ,
1

Hi Teams,
I’m trying to get NPTv6 working, but no success until now.

NPTv6 not working with dual-WAN PPPoE setup on VyOS 1.5-stream-2025-Q1

Environment

  • VyOS Version: 1.5-stream-2025-Q1 (circinus)
  • Hardware: Bare metal (Techvision TVI7309X)
  • Setup: Dual-WAN PPPoE with load balancing

Network Configuration

  • WAN1: pppoe0 - receives prefix 2804:1e68:c209:95e6::/64 via DHCPv6-PD
  • WAN2: pppoe1 - receives prefix 2804:1e68:c209:d118::/64 via DHCPv6-PD
  • LAN: br0 - using ULA fd00:28::/64
  • Load Balancing: Configured for IPv4 only (working fine)

Problem Description

I’m trying to implement NPTv6 to translate my internal ULA prefix (fd00:28::/64) to the GUA prefixes received via DHCPv6-PD on both WAN interfaces. While the configuration is accepted and NAT66 rules appear in nftables, no IPv6 traffic is actually being translated and forwarded.

Current Configuration

DHCPv6-PD Configuration

set interfaces pppoe pppoe0 dhcpv6-options pd 0 length '64'
set interfaces pppoe pppoe1 dhcpv6-options pd 1 length '64'

NAT66 Configuration

set nat66 source rule 10 outbound-interface name 'pppoe0'
set nat66 source rule 10 source prefix 'fd00:28::/64'
set nat66 source rule 10 translation address '2804:1e68:c209:95e6::/64'
set nat66 source rule 10 description 'NPTv6 LAN to WAN1'

set nat66 source rule 20 outbound-interface name 'pppoe1'
set nat66 source rule 20 source prefix 'fd00:28::/64'
set nat66 source rule 20 translation address '2804:1e68:c209:d118::/64'
set nat66 source rule 20 description 'NPTv6 LAN to WAN2'

set nat66 destination rule 10 inbound-interface name 'pppoe0'
set nat66 destination rule 10 destination address '2804:1e68:c209:95e6::/64'
set nat66 destination rule 10 translation address 'fd00:28::/64'
set nat66 destination rule 10 description 'NPTv6 WAN1 to LAN'

set nat66 destination rule 20 inbound-interface name 'pppoe1'
set nat66 destination rule 20 destination address '2804:1e68:c209:d118::/64'
set nat66 destination rule 20 translation address 'fd00:28::/64'
set nat66 destination rule 20 description 'NPTv6 WAN2 to LAN'

Router Advertisement

set service router-advert interface br0 prefix 'fd00:28::/64'
set service router-advert interface br0 name-server '2001:4860:4860::8888'
set service router-advert interface br0 name-server '2001:4860:4860::8844'

Firewall Configuration

set firewall ipv6 forward filter rule 50 action 'accept'
set firewall ipv6 forward filter rule 50 source address 'fd00:28::/64'
set firewall ipv6 forward filter rule 50 outbound-interface group 'WAN'
set firewall ipv6 forward filter rule 50 description 'Allow ULA out via NPTv6'

Troubleshooting Results

1. NAT66 rules are present in nftables:

$ sudo nft list table ip6 vyos_nat | grep -E "snat prefix|dnat prefix"
oifname "pppoe0" ip6 saddr fd00:28::/64 counter packets 3 bytes 312 snat prefix to 2804:1e68:c209:95e6::/64 comment "SRC-NAT66-10"
oifname "pppoe1" ip6 saddr fd00:28::/64 counter packets 0 bytes 0 snat prefix to 2804:1e68:c209:d118::/64 comment "SRC-NAT66-20"
iifname "pppoe0" ip6 daddr 2804:1e68:c209:95e6::/64 counter packets 0 bytes 0 dnat prefix to fd00:28::/64 comment "DST-NAT66-10"
iifname "pppoe1" ip6 daddr 2804:1e68:c209:d118::/64 counter packets 0 bytes 0 dnat prefix to fd00:28::/64 comment "DST-NAT66-20"

2. Some packets hit the SNAT rule initially (3 packets), but then stopped

3. No packets are seen going out on PPPoE interfaces:

$ sudo tcpdump -i pppoe0 -n 'ip6' -c 10
(no packets captured)

4. Testing from LAN client with only ULA addresses:

C:\> ping -6 google.com
Request timed out.

5. Testing from router itself with ULA source:

$ ping -6 -c 2 -I fd00:28::1 2001:4860:4860::8888
PING 2001:4860:4860::8888(2001:4860:4860::8888) from fd00:28::1 : 56 data bytes
--- 2001:4860:4860::8888 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss

6. IPv6 forwarding is enabled:

$ cat /proc/sys/net/ipv6/conf/all/forwarding
1

7. Routes appear correct:

$ ip -6 route | grep -E "fd00:28|default"
fd00:28::/64 dev br0 proto kernel metric 256 pref medium
default via fe80::d2dd:49ff:fe1c:baf9 dev pppoe0 proto ra metric 1024
default via fe80::d2dd:49ff:fe1c:baf9 dev pppoe1 proto ra metric 1024

Additional Information

  • IPv4 NAT and load balancing work perfectly
  • When the LAN client has GUA addresses (from DHCPv6-PD), IPv6 connectivity works
  • The same Windows client works fine with IPv6 on other networks
  • Load balancing is configured only for IPv4 (source address '192.168.28.0/24')

Questions

  1. Is NPTv6 supposed to work with dual-WAN PPPoE interfaces receiving prefixes via DHCPv6-PD?
  2. Could the load-balancing module be interfering with NPTv6, even though it’s only configured for IPv4?
  3. Are there any known issues with NPTv6 in VyOS 1.5-stream when using PPPoE interfaces?
  4. Should I be using a different approach for dual-WAN IPv6?

Any help or guidance would be greatly appreciated. Thank you!