What is ip6 equivalent of ip4 loopback address for redirect on the same device

Started by opnseeker, February 13, 2026, 11:16:51 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 13, 2026, 11:16:51 PM
In my setup unbound runs on a loopback interface (used for Opnsense GUI and few other services) at port 53053.

I am trying to write a Dest NAT rule that redirects all DNS requests (from some VLANs) reaching Opnsense (port 53) to 53053 on the loopback interface.

My ip4 rule works with redirect ip as 127.0.0.1. But I can't figure out the equivalent ip6 address. ::1 doesn't work and neither does the ULA address statically assigned to the interface.

Any suggestions would be appreciated.
February 13, 2026, 11:33:27 PM #1
You can't use ::1 but the ULA should work.

In my setup I assigned a ULA VIP to the Loopback interface where Unbound also listens, then with a DNAT rule I forward outbound DNS on port 53 to that ULA IP.  Slightly different use case (to trap and redirect unencrypted DNS escapes) but same principle.  Seems to work OK.
N5105/8GB/4xi226-V (local)
J4125/8GB/4xi210 (remote)
26.1 Community
February 14, 2026, 01:14:32 AM #2
Quote from: opnseeker on February 13, 2026, 11:16:51 PMI am trying to write a Dest NAT rule that redirects all DNS requests (from some VLANs) reaching Opnsense (port 53) to 53053 on the loopback interface.

But I can't figure out the equivalent ip6 address. ::1 doesn't work and neither does the ULA address statically assigned to the interface.
Browse this topic : https://forum.opnsense.org/index.php?topic=9245.0

IIRC there are some solutions mentioned for IPv6 ;)
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
Today at 07:56:28 AM #3
Up to 25.x.x, Port Forward to another port on Opnsense worked.

This issue is new in 26.x.x with thd new Dest NAT section.
Today at 07:58:54 AM #4
Quote from: OPNenthu on February 13, 2026, 11:33:27 PMYou can't use ::1 but the ULA should work.

In my setup I assigned a ULA VIP to the Loopback interface where Unbound also listens, then with a DNAT rule I forward outbound DNS on port 53 to that ULA IP.  Slightly different use case (to trap and redirect unencrypted DNS escapes) but same principle.  Seems to work OK.

My use case is the same but doesn't work for IP6 even with ULA on 26.x.x. It worked until 25.x.x.
Today at 08:39:22 AM #5 Last Edit: Today at 09:10:45 AM by OPNenthu
Can you paste your NAT rule for comparison?

Here are some screenshots of what works for me (on 26.1.2).  I have Unbound set to listen on All interfaces.  Not shown is the manual pass rule for the NAT rdr that was imported from my legacy ruleset into the new rules UI, but the firewall log shows it passing the traffic.  I use an alias in the NAT rule because I have this VIP referenced in several places.

You cannot view this attachment.

You cannot view this attachment.

You cannot view this attachment.
N5105/8GB/4xi226-V (local)
J4125/8GB/4xi210 (remote)
26.1 Community
Today at 12:42:48 PM #6
Quote from: OPNenthu on Today at 08:39:22 AMCan you paste your NAT rule for comparison?

Here are some screenshots of what works for me (on 26.1.2).  I have Unbound set to listen on All interfaces.  Not shown is the manual pass rule for the NAT rdr that was imported from my legacy ruleset into the new rules UI, but the firewall log shows it passing the traffic.  I use an alias in the NAT rule because I have this VIP referenced in several places.

You cannot view this attachment.




You cannot view this attachment.

You cannot view this attachment.


I am not using virtual IP. My assigned ip to the loopback interface is ULA.

Unbound runs on just this interface as does the Opnsense GUI. I tried the redirection for both Unbound and Opnsense. On Ip4 127.0.0.1 works but nothing works on Ip6.

I tried again. There are no errors in the log but the rule is not firing. I am using "pass" for firewall rule and not an explicit one. That works for Ip4 and not Ip6.

Rule may not be firing because the destination matches with redirect, both ip and ports. That's the case most of the time, the way it is setup. Redirect rule is for safety and pass is used to pass the traffic without explicit filter rule.

This wasn't the case until 25.x.x. Now the rules seem to be ignored when redirect is not needed and because of that pass option is not effective. Explicit rule is needed.

I will test my theory and post later.

Thanks for the screenshots. They are helpful.
Today at 02:28:27 PM #7
I imagine you are aware already, but the release notes for 26.1.2 show a couple of changes for DNAT. I am still on 25.7.10.

@OPNenthu
My setup for DNAT for DNS looks almost the same as yours. Except I created a 'Dynamic IPv6 Host' alias where the content is the lower 64 bits, such as:
::xxxx:xxxx:xxxx:xxxx
Is there any advantage to using the ULA (fe80...), or are both good?
Or does VIP references and Loopback require a ULA?
Today at 09:12:24 PM #8
Quote from: opnseeker on Today at 12:42:48 PM
Quote from: OPNenthu on Today at 08:39:22 AMCan you paste your NAT rule for comparison?

Here are some screenshots of what works for me (on 26.1.2).  I have Unbound set to listen on All interfaces.  Not shown is the manual pass rule for the NAT rdr that was imported from my legacy ruleset into the new rules UI, but the firewall log shows it passing the traffic.  I use an alias in the NAT rule because I have this VIP referenced in several places.

You cannot view this attachment.




You cannot view this attachment.

You cannot view this attachment.


I am not using virtual IP. My assigned ip to the loopback interface is ULA.

Unbound runs on just this interface as does the Opnsense GUI. I tried the redirection for both Unbound and Opnsense. On Ip4 127.0.0.1 works but nothing works on Ip6.

I tried again. There are no errors in the log but the rule is not firing. I am using "pass" for firewall rule and not an explicit one. That works for Ip4 and not Ip6.

Rule may not be firing because the destination matches with redirect, both ip and ports. That's the case most of the time, the way it is setup. Redirect rule is for safety and pass is used to pass the traffic without explicit filter rule.

This wasn't the case until 25.x.x. Now the rules seem to be ignored when redirect is not needed and because of that pass option is not effective. Explicit rule is needed.

I will test my theory and post later.

Thanks for the screenshots. They are helpful.

I am right. Redirect rules do not fire when destination matches redirect (both port and ip) and the pass option for filter rule is not activated.

That was the issue in my case. I had to add explicit filter rules to allow traffic when there is a possibility of match between and destination and redirect.
Today at 09:39:41 PM #9 Last Edit: Today at 09:44:55 PM by OPNenthu
I agree with @vimage22.  There have been a lot of DNAT-related fixes up to and including 26.1.2, and possibly more to come.

The one-liners in the release notes are sometimes a bit vague (at least to me) but this seems relevant to what @opnseeker is describing:

Quoteo firewall: fix target mapping inconsistency leading to references not being processed in destination NAT

... without digging into the code, at least.

Keep vigilant on the updates and check out the GitHub issues.

Quote from: vimage22 on Today at 02:28:27 PMIs there any advantage to using the ULA (fe80...), or are both good?
No difference in practice I think, except that it's static and untied to the ISP prefix.

If you don't notice any transitional delays on prefix changes then that's a win, IMO.  Do you know if these alias types are on an interval (e.g. Firewall->Settings->Advanced->Alias Resolve Interval) or are they immediate?
N5105/8GB/4xi226-V (local)
J4125/8GB/4xi210 (remote)
26.1 Community
Print
Go Up Pages1
User actions