I'm running a pretty basic PF ruleset on my VPS and basicaly that ruleset _could_ be completely identical across almost all hosts, _if_ PF wouldn't use the IPv6 link-local address for NAT on egress packets. By default it randomly alternates between the link-local and the globally routable address, hence completely breaking any connections that are NATed on IPv6...
Currently I have to hardcode the IPv6 into the ruleset and force PF to use that for egress NAT from jails that are connected to lo0:
...which is rather stupid for automatic deployment of servers...
Is there any 'sane'/scalable way to prevent PF from using a link-local address for NAT?
[man5]pf.conf[/man] isn't really helpful as it doesn't even mention IPv6 NAT.
Currently I have to hardcode the IPv6 into the ruleset and force PF to use that for egress NAT from jails that are connected to lo0:
Code:
ext_ipv6="2a03:b0c0:3:d0::53a:c001"
[...]
nat on $ext_if from ::0/64 to any tag EGRESS -> $ext_ipv6
...which is rather stupid for automatic deployment of servers...
Is there any 'sane'/scalable way to prevent PF from using a link-local address for NAT?
[man5]pf.conf[/man] isn't really helpful as it doesn't even mention IPv6 NAT.