NPTv6 seems to mistranslate WAN dest IP

Started by OPNenthu, April 30, 2026, 06:02:37 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 30, 2026, 06:02:37 AM Last Edit: April 30, 2026, 06:30:37 AM by OPNenthu
I'm playing with NPTv6 again and wondering if I have a misconfiguration.

I saw in the firewall logs at least one instance where an internet scanner tried to reach my WAN GUA, which I do not expect to be translated as there is no NPTv6 translation configured for WAN.  There's no need.

However it looks like it got translated to my LAN prefix (:1000) with all of the lower 64 WAN host bits.  That doesn't make sense.  There is no such host on LAN.

You cannot view this attachment.

You cannot view this attachment.

Here are my NPTv6 configs for reference.  I've added one for each of my internal subnets, all tracking the WAN prefix.  The first one is LAN.  Each of these ULA /64s is configured as Static IPv6 on the respective interfaces.

You cannot view this attachment.

Outbound translations appear to be working correctly.

What stupid thing have I done here that is causing my WAN interface address to be translated to LAN's prefix from the outside?
N5105 | 8/250GB | 4xi226-V | Community

https://www.youtube.com/watch?v=XI9NG068TwI
April 30, 2026, 06:36:11 AM #1
binat rules as seen in /tmp/rules.debug:

Code Select
# cat /tmp/rules.debug | grep binat
binat log on igc1 inet6 from fd5a:xxxx:xxxx:1000::/64 -> (igc1:0)/64 # NPTv6 WAN<->LAN (/64)
binat log on igc1 inet6 from fd5a:xxxx:xxxx:1001::/64 -> (igc1:0)/64 # NPTv6 WAN<->MANAGE (/64)
binat log on igc1 inet6 from fd5a:xxxx:xxxx:1002::/64 -> (igc1:0)/64 # NPTv6 WAN<->VPN (/64)
binat log on igc1 inet6 from fd5a:xxxx:xxxx:1003::/64 -> (igc1:0)/64 # NPTv6 WAN<->CLEAR (/64)
binat log on igc1 inet6 from fd5a:xxxx:xxxx:1004::/64 -> (igc1:0)/64 # NPTv6 WAN<->GUEST (/64)
binat log on igc1 inet6 from fd5a:xxxx:xxxx:1005::/64 -> (igc1:0)/64 # NPTv6 WAN<->IOT (/64)
binat log on igc1 inet6 from fd5a:xxxx:xxxx:1006::/64 -> (igc1:0)/64 # NPTv6 WAN<->LAB (/64)
binat log on igc1 inet6 from fd5a:xxxx:xxxx:1007::/64 -> (igc1:0)/64 # NPTv6 WAN<->MOBILES (/64)
N5105 | 8/250GB | 4xi226-V | Community

https://www.youtube.com/watch?v=XI9NG068TwI
April 30, 2026, 10:58:19 PM #2
Do we have a tutorial for NPTv6?

I rebooted after upgrade to the latest OPNsense and now because my WAN interface address is being translated I have lost the WG tunnel to a remote OPNsense.

You cannot view this attachment.

Apologies for the redactions but in this screenshot 2600:...:185 is the remote OPNsense and 2601:...:d2cf is my WAN IF.

For some reason it's getting translated to my LAN prefix which of course is wrong.
N5105 | 8/250GB | 4xi226-V | Community

https://www.youtube.com/watch?v=XI9NG068TwI
Print
Go Up Pages1
User actions