Bug #7742
closed
1:1 NAT for IPv6 applies wrong subnet mask to "Single Host"
Added by Adam Thompson over 7 years ago.
Updated about 4 years ago.
Description
Adding an IPv6 1:1 NAT entry and choosing "Single Host" produces the resulting rule in /tmp/rules.debug:
binat on vmx0 from fd60:7f9c:65d8:1::2/32 to any -> 2607:5300:79:501:167:114:147:50/32
which is, well, wrong. I really don't want to NAT an entire /32's worth of address space, thanks.
Workaround: select "Network" instead of "Single Host" and choose "/128" as the subnet mask. That correctly generates the rule:
binat on vmx0 from fd60:7f9c:65d8:1::2 to any -> 2607:5300:79:501:167:114:147:50
(I believe this is why I thought IPv6 NAT was broken in #7740. Not 100% sure. Made enough mistakes today I'm not sure of anything anymore.)
Also, when re-editing that 1:1 NAT rule, the GUI repeatedly resets the prefix length to "31". This, again, breaks all IPv6 (due to the subsequent NDP adjacency failure) if you don't notice it when you click Save and Apply.
While working through ticket #25935 with Chris Linstruth (from Netgate support) I just observed something very odd on my firewall:
A similar effect seems to strike the NPt mappings page; I had only ever entered /128 or /64 as the prefix length, but when going back to view it, it's now set to /112.
Is there any code in common between the 1:1 NAT page and the NPt page? Or replicated code, perhaps? I haven't had time to look at the source for either...
Scratch that, Chris put the /112 in there. The original bug stands, though.
- Status changed from New to Pull Request Review
- Target version set to 2.5.0
- Status changed from Pull Request Review to Feedback
- Assignee set to Renato Botelho
- % Done changed from 0 to 100
PR has been merged. Thanks!
- Status changed from Feedback to Resolved
Also available in: Atom
PDF
Updated by 
Updated by Viktor Gurov 
Updated by 
Updated by 
Updated by Anonymous