Project

General

Profile

Bug #7742

1:1 NAT for IPv6 applies wrong subnet mask to "Single Host"

Added by Adam Thompson almost 2 years ago. Updated almost 2 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Rules/NAT
Target version:
-
Start date:
07/31/2017
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.3.4
Affected Architecture:

Description

Adding an IPv6 1:1 NAT entry and choosing "Single Host" produces the resulting rule in /tmp/rules.debug:
binat on vmx0 from fd60:7f9c:65d8:1::2/32 to any -> 2607:5300:79:501:167:114:147:50/32
which is, well, wrong. I really don't want to NAT an entire /32's worth of address space, thanks.

Workaround: select "Network" instead of "Single Host" and choose "/128" as the subnet mask. That correctly generates the rule:
binat on vmx0 from fd60:7f9c:65d8:1::2 to any -> 2607:5300:79:501:167:114:147:50

History

#1 Updated by Adam Thompson almost 2 years ago

(I believe this is why I thought IPv6 NAT was broken in #7740. Not 100% sure. Made enough mistakes today I'm not sure of anything anymore.)

#2 Updated by Adam Thompson almost 2 years ago

Also, when re-editing that 1:1 NAT rule, the GUI repeatedly resets the prefix length to "31". This, again, breaks all IPv6 (due to the subsequent NDP adjacency failure) if you don't notice it when you click Save and Apply.

#3 Updated by Adam Thompson almost 2 years ago

While working through ticket #25935 with Chris Linstruth (from Netgate support) I just observed something very odd on my firewall:
A similar effect seems to strike the NPt mappings page; I had only ever entered /128 or /64 as the prefix length, but when going back to view it, it's now set to /112.
Is there any code in common between the 1:1 NAT page and the NPt page? Or replicated code, perhaps? I haven't had time to look at the source for either...

Scratch that, Chris put the /112 in there. The original bug stands, though.

Also available in: Atom PDF