Bug #12319
closed
NAT reflection does not work for IPv6 port forwarding rules when configured for NAT+Proxy mode
Added by Viktor Gurov over 2 years ago.
Updated about 2 years ago.
Plus Target Version:
22.05
Description
Invalid rules created:
# NAT Inbound Redirects
rdr pass on vtnet0 inet proto tcp from any to 192.168.3.4 port 110 -> 192.168.3.42 port 443
rdr on vtnet0 inet6 proto tcp from any to fc00:3::4 port 110 -> fc00:123::5555 port 443
# Reflection redirects
rdr on { vtnet2 enc0 openvpn WireGuard } proto tcp from any to fc00:3::4 port 110 tag PFREFLECT -> 127.0.0.1 port 19000
Aug 31 15:46:53 pf4 php-fpm[1161]: /rc.filter_configure_sync: New alert found: There were error(s) loading the rules:
/tmp/rules.debug:185: no translation address with matching address family found. - The line in question reads [185]:
rdr on { vtnet2 enc0 openvpn WireGuard } proto tcp from any to fc00:3::4 port 110 tag PFREFLECT -> 127.0.0.1 port 19000
/var/etc/xinetd.conf:
service 19000-tcp
{
type = unlisted
bind = 127.0.0.1
port = 19000
socket_type = stream
protocol = tcp
wait = no
user = nobody
server = /usr/bin/nc
server_args = -w 2000 fc00:123::5555 443
}
I'm not sure we should even try supporting that mode for IPv6, it's bad enough for IPv4.
I'm inclined to have the backend code skip any IPv6 in that mode, and drop a note in the GUI on the reflection options stating that isn't supported for IPv6. Maybe toss an input validation error if someone picks that mode specifically on a port forward with IPv6 addresses.
- Status changed from New to Pull Request Review
- Target version set to CE-Next
- Plus Target Version set to Plus-Next
- Status changed from Pull Request Review to Feedback
- % Done changed from 0 to 100
- Target version changed from CE-Next to 2.6.0
- Plus Target Version changed from Plus-Next to 22.01
- Subject changed from IPv6 Port Forwarding rules doesn't work in NAT+Proxy mode to NAT reflection does not work for IPv6 port forwarding rules when configured for NAT+Proxy mode
Updating subject for release notes.
Tested on the:
2.6.0-RC (amd64)
built on Mon Jan 24 18:44:12 UTC 2022
FreeBSD 12.3-STABLE
It works only if you choose NAT + Proxy on the port forward configuration page. It should check the Network Address Translation setup under the System/Advanced/Firewall & NAT page too.
- Status changed from Feedback to New
- Assignee set to Viktor Gurov
- Target version changed from 2.6.0 to 2.7.0
- % Done changed from 100 to 50
- Plus Target Version changed from 22.01 to 22.05
- Affected Version changed from 2.5.2 to 2.6.0
- Status changed from New to Pull Request Review
- Status changed from Pull Request Review to Feedback
- Status changed from Feedback to Resolved
Tested:
2.7.0-DEVELOPMENT (amd64)
built on Wed Feb 16 06:17:48 UTC 2022
FreeBSD 12.3-STABLE
Works fine. I am marking the ticket resolved.
Also available in: Atom
PDF
Updated by 
Updated by Viktor Gurov 
Updated by