For me I don't share the /64 delegated prefix on any of my VLANs.

What I did is I get a /48 from HE TunnelBroker, then I treat the TunnelBroker interface as another Ipv6 gateway in OPNsense.

Then I allocate /64 prefixes to my various VLANs.

Then I create a loopback interface with IPv6 to track interface from WAN.

Then I create NAT NPTv6 rule to map my LAN /64 prefix to the prefix on the loopback interface for traffic going out on WAN.

Then I create outbound NAT rule to NAT66 every other VLAN to the address of the loopback interface for traffic going out on WAN.

I make sure my firewall rules allowing traffic in from HE TunnelBroker has the reply-to set explicitly so it'll route the replies back out that way.

Result:
1. All my networks have proper stable GUA prefixes, that can be reachable from the internet for inbound connections.
2. All my outbound IPv6 connections will get routed directly through my ISP (in this case Maxis) and not through the tunnelbroker node.
3. I don't have to do any weird hacks to share a single subnet across multiple VLANs.
4. All IPv6 addresses are valid for connectivity internally, except the delegated prefix from Maxis which is really only used for outgoing connections because it. keeps. changing.


But yeah, I use maxis but this should be applicable to any ISP that only gives a single /64

This post has been edited by ruifung: Yesterday, 03:29 PM