For those who use NAT66, add the following commands:
Add destination and except prefix to Source NAT (for example):
vyos@vyos# set nat66 source rule 100 Possible completions: description Rule description > destination IPv6 destination prefix options disable Disable NAT66 rule log NAT66 rule logging outbound-interface Outbound interface of NAT66 traffic > source IPv6 source prefix options > translation Translated IPv6 address options vyos@vyos# set nat66 source rule 100 source prefix Possible completions: <h:h:h:h:h:h:h:h/x> IPv6 prefix !<h:h:h:h:h:h:h:h/x> Match everything except the specified IPv6 prefix vyos@vyos# set nat66 source rule 100 destination prefix Possible completions: <h:h:h:h:h:h:h:h/x> IPv6 prefix !<h:h:h:h:h:h:h:h/x> Match everything except the specified IPv6 prefix
An example of a SNAT rule record in nftables:
oifname "eth0" counter packets 0 bytes 0 ip6 saddr fd00:1111:1111:1111::/64 ip6 daddr != fd01:1111:1111:1111::/64 masquerade comment "SRC-NAT66-100"
Add source and except prefix to Destination NAT (for example):
vyos@vyos# set nat66 destination rule 100 Possible completions: description Rule description > destination IPv6 destination prefix options disable Disable NAT66 rule inbound-interface Inbound interface of NAT66 traffic log NAT66 rule logging > source IPv6 source prefix options > translation Translated IPv6 address options vyos@vyos# set nat66 destination rule 100 source prefix Possible completions: <h:h:h:h:h:h:h:h/x> IPv6 prefix !<h:h:h:h:h:h:h:h/x> Match everything except the specified IPv6 prefix
An example of a DNAT rule record in nftables:
iifname "eth0" counter packets 0 bytes 0 ip6 saddr 2002:1111:1111:1111::/64 ip6 daddr 2001:1111:1111:1111::100 dnat to fd00:1111:1111:1111::100 comment "DST-NAT66-100"