outgoing IPv6 NAT uses wrong (probably old) address

[bimbar]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug

I have an IPv6 dialup with dynamic addresses. For that I use ULA internally, and use outgoing NAT for IPv6.

root@scylla:~ # pfctl -s nat
nat on igb2_vlan999 inet6 from <accessgroup_internet> to any -> (igb2_vlan999:0) port 1024:65535

and

igb2_vlan999: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1492
	inet6 2001:a62:14a1:fd01:xxxx:xxxx:xxxx:xxxx prefixlen 64 autoconf

but when pinging google from inside, tcpdump shows:

18:13:25.002709 IP6 2001:a62:1492:1c01:xxxx:xxxx:xxxx:xxxx > 2a00:1450:4001:80f::2003: ICMP6, echo request, seq 9, length 16

which is the wrong prefix.

To Reproduce

See above, configure NATv6, wait a few days.

Expected behavior

I did expect the right source IP to be used.

Environment

Software version used and hardware type if relevant, e.g.:

OPNsense 21.7.3 (amd64, OpenSSL).
APU2D4

[fichtner]

@bimbar It's relatively easy to emulate if the kernel address selection listens to address updates or not, especially with the ":0" selector. My guess is that it's probably not implemented so it would require a pfctl rules reload to take effect?

Cheers,
Franco

[bimbar]

It normally works, it just seemed that after a few days it stops to update its address.

Since I can't know when an address update comes, I can't really do a pfctl rules reload when it happens.

[fichtner]

I did mean a static test interface where one could change the IP address via ifconfig.

It looks like this attaches to a ifaddr_event hook, but there could still be issues with it... https://github.com/opnsense/src/blob/3778c319d0c0786fe9ec88ac81e624ee9f48a47b/sys/netpfil/pf/pf_if.c#L917
https://github.com/opnsense/src/blob/3778c319d0c0786fe9ec88ac81e624ee9f48a47b/sys/netpfil/pf/pf_if.c#L152-L153

[marjohn56]

Crashing the party here, just trying to get my head around something to do with NPTv6 as I am now back to using dhcp6. and have not used NPTv6, In the GUI you have to specify the 'External Prefix', could the NPTv6 functions be expanded so that the prefix is taken from PD of the LAN, thus you take the lower 'n' bits of a ULA address on the LAN and use the PD upper 64 bits as the external prefix? Might want to take this to a seperate discussion, but might it not be a useful option for servers etc on the LAN side? Using this option would negate the need for prefix tracking etc.

[bimbar]

@marjohn56 #5284

[bimbar]

I did mean a static test interface where one could change the IP address via ifconfig.

It looks like this attaches to a ifaddr_event hook, but there could still be issues with it... https://github.com/opnsense/src/blob/3778c319d0c0786fe9ec88ac81e624ee9f48a47b/sys/netpfil/pf/pf_if.c#L917 https://github.com/opnsense/src/blob/3778c319d0c0786fe9ec88ac81e624ee9f48a47b/sys/netpfil/pf/pf_if.c#L152-L153

Is that even an opnsense problem or is that upstream? If so, maybe it'll work with the upcoming freebsd 13 upgrade?

[fichtner]

I doubt there is any change in this regard with FreeBSD 13 .. at least not from the pf(4) end.