> Major question: is something like this feasible with Opnsense as a router, or should I only try it with a Linux solution?
It should be possible but I'm not familiar with opensense. If you can't use clatd there, you will need some other implementation of 464XLAT.
Then, if you want to offer IPv4 on your network, you'll have to use DHCP on a RFC1918 block (ex: offer IPs in 10.1.2.3) and masquerade to the 192.0.0.1 gateway you've created with your 464XLAT implementation (whether clatd or something else)
Here you'll have to use tayga as you don't seem to have a GW provided by your ISP level3.
> How much does this complicate my firewalling
Not much. The ip4 rules would be as before, but the clat interface would be your default ipv4 route so you'd need to replace all instances of `eth0` or `wlan0` by `clat` in your scripts on the machine running clatd
> Do I deal with firewalling IPV6 only from the outside world?
It depends if you want to firewall IPv6? If you fear some services are reachable by IPv6 while they shouldn't be, use ip6tables. Just remember in IPv6 you should keep icmp flowing as it serves many purposes.
You can also decide to not offer IPv6 at all on your lan (making it IPv4 only on 10.1.2.3, with the packets going to clatd 192.0.0.1 on your router)
> Or do I need to worry about RFC1918 addresses on my LAN "leaking" out to the IPv4 world via the IPv6 connection?
It shouldn't: IIRC 464XLAT implementations will only route non RFC1918 packets. Check the RFCs if you want to be sure, or forge packets to try.
It should be possible but I'm not familiar with opensense. If you can't use clatd there, you will need some other implementation of 464XLAT.
Then, if you want to offer IPv4 on your network, you'll have to use DHCP on a RFC1918 block (ex: offer IPs in 10.1.2.3) and masquerade to the 192.0.0.1 gateway you've created with your 464XLAT implementation (whether clatd or something else)
Here you'll have to use tayga as you don't seem to have a GW provided by your ISP level3.
> How much does this complicate my firewalling
Not much. The ip4 rules would be as before, but the clat interface would be your default ipv4 route so you'd need to replace all instances of `eth0` or `wlan0` by `clat` in your scripts on the machine running clatd
> Do I deal with firewalling IPV6 only from the outside world?
It depends if you want to firewall IPv6? If you fear some services are reachable by IPv6 while they shouldn't be, use ip6tables. Just remember in IPv6 you should keep icmp flowing as it serves many purposes.
You can also decide to not offer IPv6 at all on your lan (making it IPv4 only on 10.1.2.3, with the packets going to clatd 192.0.0.1 on your router)
> Or do I need to worry about RFC1918 addresses on my LAN "leaking" out to the IPv4 world via the IPv6 connection?
It shouldn't: IIRC 464XLAT implementations will only route non RFC1918 packets. Check the RFCs if you want to be sure, or forge packets to try.