Print Page - IPv6 NAT Problem

Title: IPv6 NAT Problem
Post by: seed on May 23, 2023, 09:45:44 AM

I have an interesting problem with NATv6 on the OPNsense.

if I run e.g. OpenVPN on all interfaces and set it to port 1194 (so that OpenVPN runs in the dual stack) I use NAT to redirect e.g. incoming traffic from port 443 to the "VPN IP".

With IPv4 this works perfectly. But not with IPv6.
Also the redirection from the WAN IP to a loopback interface fails.

So e.g.:

192.0.2.12:443 DNAT-> 192.0.2.12:1194 works
[2001:DB8::12]:443 DNAT-> [2001:DB8::12]:1194 does not work
[2001:DB8::12]:443 DNAT-> [lo1]:1194 does not work either

What am i doing wrong?

Title: Re: IPv6 NAT Problem
Post by: Patrick M. Hausen on May 23, 2023, 11:20:43 AM

Have you tried setting the filter rule association to "pass"?

Title: Re: IPv6 NAT Problem
Post by: seed on May 23, 2023, 11:32:43 AM

I just set "Filter rule association" to "Pass" ans it still does not work.
Also worth mentioning is that a Filter rule on wan with "pass" for 443 TCP (VPN-IPv6) also exists.

Title: Re: IPv6 NAT Problem
Post by: seed on May 23, 2023, 11:40:18 AM

Someone else also has a similar issue:

https://www.reddit.com/r/opnsense/comments/110n7cc/nat_redirect_for_dns_on_ipv6_loopback_address/

Also not working with the IPv6 itself. Like described in my first post.

Title: Re: IPv6 NAT Problem
Post by: Bob.Dig on May 23, 2023, 12:18:54 PM

Do you have outbound NAT for IPv6?

Title: Re: IPv6 NAT Problem
Post by: seed on May 23, 2023, 12:25:57 PM

In normal cases i route ipv6.
But in this special case i enabled "NAT reflection" in the port forwarding rule.

It does not work either. Same issue with wireguard IPv6 NAT.

OPNsense Forum

Archive => 23.1 Legacy Series => Topic started by: seed on May 23, 2023, 09:45:44 AM