Feature Request: Allow IPv6 Prefix Delegation / Static Prefix with VPN Client (instead of forced NAT6)

Routers
1

Hey there,

I'm running a WireGuard VPN that hands out a static /56 IPv6 prefix. My goal is to use that prefix as the LAN-side IPv6 network on my GL-MT5000, so that devices behind the router get globally routable, stable IPv6 addresses.

Without the VPN, every reconnect (or failover event) means the entire LAN gets a new IPv6 prefix. This can make it hard to maintain DDNS-entries, and simililar. Also the Backup-link, a Mobile-Connection, blocks any incommig IPv6 Traffic anyway.

The WireGuard VPN solves this: it provides a single static prefix that stays the same regardless of which WAN link is active or how often it reconnects. The VPN gives me the stable addressing layer that neither WAN connection can provide on its own.

However, as of Firmware 4.8.4 appears to force NAT6 whenever a VPN client is active. So even if I try to setup the static prefix, NAT6 is allways there and I have not found a way to disable NAT6 only, just all Masquarading (NAT44 and NAT66).

OpenWrt's LuCI interface has a clean option for configuring a static routed prefix from an upstream interface (see screenshot below), but the GL.iNet layer overrides it. And I have not found a good workaround for this.

Screenshot 2026-04-07 at 23.37.38
Screenshot 2026-04-07 at 23.37.381820×1120 139 KB

What I'd hope to see in a furture relase:

  • A way to configure a static routed IPv6 prefix: like the existing option in LuCI, so that, when set, disables NAT6 for the VPN interface and properly routes the prefix to the LAN.

  • NAT6 as a fallback makes sense when the VPN tunnel is down, so LAN clients still get IPv6 connectivity through the WAN uplink. But when the VPN is up and a static prefix is configured, NAT6 should get out of way.

  • When NAT6 is active (e.g. VPN down, fallback to WAN), it should do prefix translation (NPTv6), not translate everything to a single address (Or at leas give the option to do so.). The WAN uplink provides at least a /64, so there's plenty of space for a proper 1:1 prefix mapping. This would also come in handy in multihomeing scenarios, without a VPN for prefix.

Did anywone find a workaround for this, or has a similar usecase?

Thanks for any input on this.