I have a WWAN backup link that is not ipv6 capable. Clients get GUAs from the primary link. In case this link goes down and SD-WAN switches to the backup link the outbound IPv6 traffic needs NAT64.
edit: realized that NAT64 is not the right solution for this scenario. See below.
So I need NAT64 for all the IPv6 traffic that leaves through the backup link interface of my FortiGate.
NAT64 is configured on a policy level, but I can't do policies on member interfaces once they joined an SD-WAN zone.
How can I achieve this? Or did I oversee something? I could add another router that does the NAT64 for this link. But I'd prefer a solution without an additional device.
Slightly offtopic: if I had a IPv6 capable backup link, is there really no NPTv6 on FortiGates?