PPPoE fixed WAN IPv6 adresses

I have a setup here with PPPoE over fiber to the ISP (actually, 12 to be exact, all similar).

ISP connection works fine, I get the fixed IPv4 address, a dynamic public IPv6 address via SLAAC, and a /56 subnet for PD.

What I need is to be able to take a /64 from that /56, and assign it to the PPPoE WAN interface, and use the ::1 from that prefix as WAN IPv6 address, both for masquerading and for incoming traffic.

In the current solution, a Sophos firewall, I can simply assign a fixed IPv6 to the interface (and optional secondary addresses as needed), problem solved. But no clue how to do this in VyOS. Sophos is linux based too, so it is no technical issue of the underlying ppp daemon.

This is an absolute showstopper atm, as we have incoming traffic on fixed IP’s, and we have services on VyOS trying to bind to those WAN IP addresses (think load balancing, reverse proxy, etc). The random SLAAC address is useless for this.

I’ve been looking into DNATting the required addresses, but since the SLAAC address is dynamic, I have nothing to translate to.

Together will the other issues I have (DNS forwarding doesn’t work, IPsec doesn’t work), I’m seriously doubting our choice to replace Sophos with VyoS. I hope not, we’ve already spend two months converting config…

Thinking about this over dinner, can I

• create a dummy interface
• assign muiltiple (dummy) IPv6 adresses to it
• have the services bind to this interface and these adresses
• use DNAT rules on pppoe0 to translate the public addresses from the /64 range to these dummy addresses

Outgoing I can probably replace “masquerade” by the first ::1/64, which leaves the problem of incoming connections on ::1/64, which is an address both used in DNS and statically in things like tunnel endpoints. Or can I DNAT that to a dummy interface to, without having any routing or masquerading issues?

Yes, this is the way.

Thanks, I’ll try that, and report back.

This seems to work, thanks @roedie for your confirmation.