Why does this static ULA get installed as a host route on lo0?

[OPNenthu]

Maybe someone can explain this to me:

I created a new loopback device (lo1) in Interfaces->Devices->Loopback for the sole purpose of using it as a redirect target in DNAT rules for internal services (e.g. DNS).

I assigned and enabled this interface, which I named "RDR," and I then assigned two IPs:

- 10.255.255.1/32
- fdff::1/128

These are not VIPs but static assignments on the interface.

As redirect targets for internal networks, these work fine so long as the associated firewall 'pass' rules are in place (or set to 'pass' in the DNAT rule itself).

I noticed something odd when I tried to use these IPs from the firewall host, however.  This was getting blocked by the default deny rule:

Code Select Expand

$ dig @10.255.255.1 opnsense.org

And this was passing:

Code Select Expand

$ dig @fdff::1 opnsense.org

Now I know this has nothing to do with NAT- I was just testing if it works.  It looks like the IPv4 case was being routed to the RDR interface and since there are no rules defined there it makes sense why this was blocked.

The IPv6 case didn't make any sense until I looked in the routing table and saw that the ULA address is installed as a host route on the default loopback (lo0) instead of lo1.

This difference was unexpected and my first thought was maybe it's a bug, but ChatGPT thinks it's a nuance of FreeBSD routing with IPv6.  I figured best to get this clarified here. :)

I have two firewalls configured like this and both are showing the ULA on lo0 instead of lo1 in the routes.

You cannot view this attachment.

You cannot view this attachment.