IPv6 NAT Problem

seed · May 23, 2023, 09:45:44 AM

I have an interesting problem with NATv6 on the OPNsense.

if I run e.g. OpenVPN on all interfaces and set it to port 1194 (so that OpenVPN runs in the dual stack) I use NAT to redirect e.g. incoming traffic from port 443 to the "VPN IP".

With IPv4 this works perfectly. But not with IPv6.
Also the redirection from the WAN IP to a loopback interface fails.

So e.g.:

192.0.2.12:443 DNAT-> 192.0.2.12:1194 works
[2001:DB8::12]:443 DNAT-> [2001:DB8::12]:1194 does not work
[2001:DB8::12]:443 DNAT-> [lo1]:1194 does not work either

What am i doing wrong?

Patrick M. Hausen · May 23, 2023, 11:20:43 AM

Have you tried setting the filter rule association to "pass"?

seed · May 23, 2023, 11:32:43 AM

I just set "Filter rule association" to "Pass" ans it still does not work.
Also worth mentioning is that a Filter rule on wan with "pass" for 443 TCP (VPN-IPv6) also exists.

seed · May 23, 2023, 11:40:18 AM

Someone else also has a similar issue:

https://www.reddit.com/r/opnsense/comments/110n7cc/nat_redirect_for_dns_on_ipv6_loopback_address/

Also not working with the IPv6 itself. Like described in my first post.

Bob.Dig · May 23, 2023, 12:18:54 PM

Do you have outbound NAT for IPv6?

seed · May 23, 2023, 12:25:57 PM

In normal cases i route ipv6.
But in this special case i enabled "NAT reflection" in the port forwarding rule.

It does not work either. Same issue with wireguard IPv6 NAT.

IPv6 NAT Problem

seed

May 23, 2023, 09:45:44 AM

Patrick M. Hausen

May 23, 2023, 11:20:43 AM #1

seed

May 23, 2023, 11:32:43 AM #2

seed

May 23, 2023, 11:40:18 AM #3 Last Edit: May 23, 2023, 11:49:43 AM by seed

Bob.Dig

May 23, 2023, 12:18:54 PM #4

seed

May 23, 2023, 12:25:57 PM #5