npt issue

[ThuTex]

setup:
router => opnsense wan/lan => lan

config:

router has a /56
opnsense wan port has an ipv6
opnsnense lan port has fd00:1::1 as address
lan host has fd00:1::200 as address
npt is set to wan - aaaa:bbbb:cccc:dddd::/56 - fd00:1::/56

what goes right:
ping OUT from my lan pc to an internet host:
pc -> opnsense lan port ok (internal lan ip -> ipv6 host)
opnsense wan port ok (translated lan ip -> ipv6 host)
ping arrives perfectly on the internet host.

ping reply comes back:
opnsense wan port gets a request from the router's link-local to see who has the translated lan ip

expected: opnsense translates that ip back to its local ip, responds to the request and routes the traffic
reality: nothing happens... opnsense does not reply that it knows the address

what am i doing wrong or am i forgetting here?

[franco]

Hi splitter,

NPT may not be fully functional following an incompatibility with custom patches from pfSense vs. FreeBSD standards.

pfSense recently made the jump using a different fix[1] than we have. Can you try the following?

https://github.com/opnsense/core/blob/16.7.11/src/etc/inc/filter.inc#L1571

Change this line in /usr/local/etc/inc/filter.inc to the following:

$natrules .= "binat on \${$natif} from ::/0 to {$dstaddr} -> {$srcaddr}\n";


Cheers,
Franco

[1] https://github.com/pfsense/pfsense/commit/9c8ce38b01

[ThuTex]

Hi Franco,

Closer but still no dice... the change was already one big issue (before there just didnt seem to be any translation... and now it just seems 'too much translation'...)

also, what i noticed is that -even though i chose 'only request prefix'- the wan interface has an external ipv6 address in the terminal but not in the gui.

back to the issue at hand:
Now when the ping reply gets to opnsense i get this:

kernel: cannot forward src fe80:1::3291:8fff:fec9:aaaa, dst fd00:1::20c:29ff:fee5:bbbb, nxt 58, rcvif em0, outif em1

fe80:1::3291:8fff:fec9:aaaa is the link local for my isp router
fd00:1 is the range i'm using on the em1 interface
fd00:1::20c:29ff:fee5:bbbb does not exist..., but there's a link-local for it on em0 :  fe80::20c:29ff:fee5:bbbb


EDIT; i added the fd::bbbb address as a virtual address to em0.
no more error, but still opnsense isn't telling my isp router it knows about the address of my lan pc

[ThuTex]

ok so...

after applying the fix from franco's post AND adding my lan pc's external ip to the virtual ip list on lan it works...

so i expected (just example ips):
externalv6::xxxx translated to fd01::xxx in both ways.
i also expected npt to do this without help.

my lan pc only has the internal fd01:xxxx
outgoing, npt translates this to 2a02::xxxx as expected.
incoming, i need to add that address to the lan interface,
or opnsense will not respond.

i already had the 2a02:: range added to vip but that didnt do the trick...

so its fixed but i assume this is not the right way (because it doesnt scale like this)