Bug #7742
closed
1:1 NAT for IPv6 applies wrong subnet mask to "Single Host"
100%
Description
Adding an IPv6 1:1 NAT entry and choosing "Single Host" produces the resulting rule in /tmp/rules.debug:
binat on vmx0 from fd60:7f9c:65d8:1::2/32 to any -> 2607:5300:79:501:167:114:147:50/32
which is, well, wrong. I really don't want to NAT an entire /32's worth of address space, thanks.
Workaround: select "Network" instead of "Single Host" and choose "/128" as the subnet mask. That correctly generates the rule:
binat on vmx0 from fd60:7f9c:65d8:1::2 to any -> 2607:5300:79:501:167:114:147:50
Updated by Adam Thompson over 6 years ago
(I believe this is why I thought IPv6 NAT was broken in #7740. Not 100% sure. Made enough mistakes today I'm not sure of anything anymore.)
Updated by Adam Thompson over 6 years ago
Also, when re-editing that 1:1 NAT rule, the GUI repeatedly resets the prefix length to "31". This, again, breaks all IPv6 (due to the subsequent NDP adjacency failure) if you don't notice it when you click Save and Apply.
Updated by Adam Thompson over 6 years ago
While working through ticket #25935 with Chris Linstruth (from Netgate support) I just observed something very odd on my firewall:
A similar effect seems to strike the NPt mappings page; I had only ever entered /128 or /64 as the prefix length, but when going back to view it, it's now set to /112.
Is there any code in common between the 1:1 NAT page and the NPt page? Or replicated code, perhaps? I haven't had time to look at the source for either...
Scratch that, Chris put the /112 in there. The original bug stands, though.
Updated by Viktor Gurov almost 4 years ago
Updated by Jim Pingle almost 4 years ago
- Status changed from New to Pull Request Review
- Target version set to 2.5.0
Updated by Renato Botelho almost 4 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Renato Botelho
- % Done changed from 0 to 100
PR has been merged. Thanks!
Updated by Anonymous