My ISP assigns a static prefix that I allocate to my LAN interfaces in a typical IPv6 setup. I also receive a dynamic /128 address via SLAAC.
I have Wireguard configured on RouterOS which works nicely. I also have a second site that connects to my primary site Wireguard endpoint. The second site is behind CGNAT for ipv4 so it makes sense to establish the Wireguard tunnel over IPv6.
My question is what is best practice here in terms of the IPv6 GUA I should be using for the Wireguard endpoint? I’ve been using the SLAAC assigned GUA on them WAN interface but this is not ideal because it’s not static and I need to manually update the DNS when it changes.
Should I be assigning a second GUA to my WAN from the isp prefix pool?
Any thoughts or experiences shared are most welcome.
Thanks I’ve come across a couple of guides that do this and suspected it to be poor practice.
That sounds like the most sensible approach, thank you. I had considered creating a new vlan interface on my main bridge but I think I will go with your suggestion to logically separate it from my internal interfaces.
On reflection I’m not sure this solution will work for me as I need the address to be public facing so that the remote site can connect to the Wireguard endpoint.
I think I’ll go with a dedicated vlan interface on my main bridge for now.
The IPv6 address currently assigned to your router on the main LAN bridge can be used for this purpose. There is no need to add new interfaces and assign more addresses or to assign an address to the WAN interface from the pool. If you have multiple LAN interfaces, any of their currently assigned GUA IPv6 addresses works too.