Bug #15268
closed
Network Prefix Translation (NPt) not properly translating the prefix for unsolicited inbound connections
0%
Description
Unsolicited inbound traffic with the ISP prefix (external prefix) is always translated to the internal prefix specified in the top most entry of the NPt mapping table, rather than the prefix for the proper subnet.
Internet host: 2001:db8:10a:23a7::1
LAN1 static IPv6: 2001:db8:2:1::/64
LAN2 static IPv6: 2001:db8:2:2::/64
LAN3 (ISP delegated prefix): 2001:db8:1:1::/64
Pinging my PC in LAN1 from the internet host outside my network using the ISP delegated prefix: 2001:db8:1:1:58bd:bbd3:cd6d:3909
When the LAN1 NPt mapping entry is at the very top, the ping packets can reach my PC as expected.
NPt mapping and filtered state table as NPt-mapping-1.png and state-table-1.png.
When the LAN2 NPt mapping entry is moved before LAN1's entry, the ping packets can no longer reach my PC.
NPt mapping and filtered state table as NPt-mapping-2.png and state-table-2.png.
Files
Updated by machbot . over 1 year ago
- File state-table-1.png state-table-1.png added
Updated by machbot . over 1 year ago
- File NPt-mapping-2.png NPt-mapping-2.png added
Updated by machbot . over 1 year ago
- File state-table-2.png state-table-2.png added
Updated by Jim Pingle over 1 year ago
- Status changed from New to Not a Bug
You cannot map multiple internal prefixes to the same external prefix. As you see only the first one will work properly in both directions.
The core idea behind NPT is that you map each internal prefix separately to a different external prefix, otherwise it's not that different than plain outbound NAT.
The same limitations apply to IPv4 -- you can't 1:1 NAT multiple internal addresses to the same external address.