-
Notifications
You must be signed in to change notification settings - Fork 710
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NPTv6 return traffic exiting WAN with wrong IP #4879
Comments
Still an issue in 21.1.4 |
I believe the issue started at 20.7.6. I also use NPTv6 to give the internal machines external IPv6 from my only /64. Without changing configuration, they are no longer available when upgrading to 20.7.6 |
I don't have a firewall backup for 20.7.5, are you able to go back to that version and test? |
Yes, Luckily I run firewall on vmware and have a snapshot I can revert to. |
So every time you go back to 20.7.5 it starts working again. I did backup but didn't test NPTv6 and was too late by the time I realised (I don't use it much). Did you also get the issue where it only works one way, or did it just not work at all? |
I really only tested for incoming access to my webservers, outgoing is a secondary concern. Could this be the issue (from changelog)? firewall: correctly select current IPv6 field in getInterfaceGateway() I don't particularly fancy trying upgrading one patch at a time, partly because I don't know how, and partly because I don't know where to start :-( |
Incoming from the WAN is where I discovered the issue too, going out the WAN was working fine. Shall need to wait for Ad and co to look in too this. |
Updated to 21.1.5, still broken. |
With the patch ipv6-servers are now available again. (20.7.6) |
Did you get /tmp/rules.debug before and after? Edit; Outbound is little odd, do you need to restart after the revert? |
I restarted. I have rules.debug after, but not before, but I can always apply the patch again ;-) |
Before and after: `
` |
21.1.5, with that patch, doesn't work. Remove that patch from 21.1.5, no change.... I then re-saved the WAN interface, since I presumed from looking at the code this was required, for the change to take effect. rules.debug differences
Removing Patch (After) Working
There's other rules that are different but their just different services etc, but overall same differences $Mailcow expands to the Addresss fd37:c611:72fb:80::10,10.111.1.11 2001:41d0:800:26ff:ff:ff:ff:ff is the Gateway |
Are you saying that 21.1.5 does not need to be patched, however the interfaces should just be re-saved? |
You need to remove that patch, and then resave the WAN interface and it works once again. Should work 20.7.6 onwards. |
Just to clarify, do I revert the patch, or do I leave the system alone when upgrading from 20.7.5? |
Leave it alone while upgrading, encase it reverts the file back to its "broken" state, then run the patch command again. |
The patch added 'reply-to' functionality to IPv6 rules which for some reason seems to be incompatible with NPTv6. Instead of reverting the patch, you can just disable reply-to (in the firewall rules or globally in the advanced firewall settings). Should have the same effect. The question remains whether the reply-to / binat incompatibility is a design limitation or a bug. |
Would have to do some work to separate my rules in to IPv4 and IPv6 to use "disable reply-to" option but do able, but rather have the issue mitigated or resolved where needed. I do use 1:1 BINAT on my IPv4 addresses as well, I'm not sure if NPTv6 is just BINAT under the hood. |
I don't think there's a lot we can do, the generic reply-to option isn't very fine grained (it's either there or not). It's a bit of an inheritance on our end, in reality quite some setups better assign their gateways explicitly. |
Interesting. And that works with reply-to enabled?
It is. Check 'Firewall: Diagnostics: pfInfo: Nat'. Any difference between the IPv4 binat rules and the IPv6 binat rules? |
So currently IPv4 BINAT works with reply-to enabled, as you can see from the rules debug above.
|
The obvious difference is that IPv4 binat only has one rule ( |
@maurice-w I think all if this still originates from pfsense/pfsense@462f900 , to be honest, I have no clue how many people actually try to use NPTv6 on OPNsense or pfSense |
I've not come across too many people using NPTv6, I only know of myself and one other within my circles. I would assume as more IPv6 gets rolled and if ISPs only give out /64 subnets, it may get more use due to the limitations /64 subnet brings. |
I've reapplied the patch, so its back to how it was (broken) and I can confirm the NAT part is still the same.
I can confirm, disabling reply-to in the Firewall rule where NPTv6 addresses are being used is a workaround. |
I tried to reproduce the return traffic translation issue but it seems to be intermittent. Maybe related to firewall state? And I'm using the development version (21.7.a_384) so there might be other differences. But I'm now pretty confident that the reverse binat rule is erroneous. Not sure whether it's actually responsible for the reply-to incompatibility, but it's pointless. Binat is by definition bidirectional and a single address can't be both internal and external. Patch 3fbf537 omits the reverse binat rule. NPT keeps working for me and return traffic gets translated correctly, even with reply-to enabled. @FingerlessGlov3s, could you test |
Removed my disable reply-to Firewall rules, so the NPT stopped working, I then applied your patch, resaved the Firewall Rules so it would recreate the live ruleset, and boom working!!! I can confirm my other NPT rules also working. Thanks for your help here, its very much appreciated. NAT now shows
|
Great to hear, thanks for testing! Seems like another one of these "someone implemented it like this 10 years ago and no-one knows why" issues. ;-) @AdSchellevis, if you have no objections, I'll create a PR for the patch. |
@maurice-w sure, go ahead. can't promise to ship it in a minor release if it changes legacy behaviour (good or bad) |
Just worth closing this issue off with the command |
Thanks all! The second rule might have been a workaround and broke when pf(4) changes in FreeBSD made it obsolete at some point, maybe going from 11 to 12 in 20.7? |
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug
I have NPTv6 setup so I can use my limited IPv6 /64 prefix on any network be hide OPNsense. When traffic originates from the machine behide OPNsense (fd37:c611:72fb:80::10) I can curl and ping the internet fine and
curl -6 ifconfig.co
returns2001:41d0:800:2647::123:123:123
so I know its working. Monitoring the traffic withtcpdump -i vtnet0 icmp6
on OPNsense I can see the traffic leave the firewall with the correct IP.Now the bug, when I try access
2001:41d0:800:2647::123:123:123
from the internet, good example is ping6 tool. I can see the traffic go through OPNsense, translate to thefd37:c611:72fb:80::10
, then see it on the host be hide OPNsense using tcpdump as well. Then when it goes back through OPNsense it doesn't get translated back to2001:41d0:800:2647::123:123:123
when it exits the WAN atleast tcpdump isn't showing this.This used to work fine, and I heavy tested it, I believe its broken since going to 21.1, but can't be 100% sure, since I wasn't externally monitoring the IP, only internally monitoring.
To Reproduce
Create NPT rule
NPT Rule
| interface | WAN |
| Internal IPv6 Source | fd37:c611:72fb:80::10/128 |
| Destination IPv6 Prefix | 2001:41d0:800:2647::123:123:123 |
| Description | Mailcow |
Firewall Rule
| interface | WAN |
| Direction | IN |
| TCP/IP Version | IPv6+IPv6 |
| Source | ANY |
| Destination | ALIAS (contains fd37:c611:72fb:80::10 and 10.111.1.11[One-to-One NAT]) |
| Log | checked |
| Description | Mailcow ICMP |
| Gateway | Default |
Expected behaviour
Traffic to get translated back to the public IPv6, before exiting the WAN.
Describe alternatives you considered
Removing the NPTv6 rule and adding it again.
Relevant log files
Ping start on external (TCPDUMP monitored on PFsense WAN). Doesn't work
Ping start on Guest. Works
Environment
Software version used and hardware type if relevant, e.g.:
OPNsense 21.1.3_3-amd64 on Proxmox
FreeBSD 12.1-RELEASE-p14-HBSD
OpenSSL 1.1.1j 16 Feb 2021
Intel(R) Xeon(R) E-2236 CPU @ 3.40GHz (2 cores)
VTNET (Vertio)
The text was updated successfully, but these errors were encountered: