NPTv6 seems to mistranslate WAN dest IP

[OPNenthu]

I'm playing with NPTv6 again and wondering if I have a misconfiguration.

I saw in the firewall logs at least one instance where an internet scanner tried to reach my WAN GUA, which I do not expect to be translated as there is no NPTv6 translation configured for WAN.  There's no need.

However it looks like it got translated to my LAN prefix (:1000) with all of the lower 64 WAN host bits.  That doesn't make sense.  There is no such host on LAN.

You cannot view this attachment.

You cannot view this attachment.

Here are my NPTv6 configs for reference.  I've added one for each of my internal subnets, all tracking the WAN prefix.  The first one is LAN.  Each of these ULA /64s is configured as Static IPv6 on the respective interfaces.

You cannot view this attachment.

Outbound translations appear to be working correctly.

What stupid thing have I done here that is causing my WAN interface address to be translated to LAN's prefix from the outside?

[OPNenthu]

binat rules as seen in /tmp/rules.debug:

Code Select Expand

# cat /tmp/rules.debug | grep binat
binat log on igc1 inet6 from fd5a:xxxx:xxxx:1000::/64 -> (igc1:0)/64 # NPTv6 WAN<->LAN (/64)
binat log on igc1 inet6 from fd5a:xxxx:xxxx:1001::/64 -> (igc1:0)/64 # NPTv6 WAN<->MANAGE (/64)
binat log on igc1 inet6 from fd5a:xxxx:xxxx:1002::/64 -> (igc1:0)/64 # NPTv6 WAN<->VPN (/64)
binat log on igc1 inet6 from fd5a:xxxx:xxxx:1003::/64 -> (igc1:0)/64 # NPTv6 WAN<->CLEAR (/64)
binat log on igc1 inet6 from fd5a:xxxx:xxxx:1004::/64 -> (igc1:0)/64 # NPTv6 WAN<->GUEST (/64)
binat log on igc1 inet6 from fd5a:xxxx:xxxx:1005::/64 -> (igc1:0)/64 # NPTv6 WAN<->IOT (/64)
binat log on igc1 inet6 from fd5a:xxxx:xxxx:1006::/64 -> (igc1:0)/64 # NPTv6 WAN<->LAB (/64)
binat log on igc1 inet6 from fd5a:xxxx:xxxx:1007::/64 -> (igc1:0)/64 # NPTv6 WAN<->MOBILES (/64)