Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    npt lacks the support for nat reflection (hairpinning); why 2 binat per one npt?

    Scheduled Pinned Locked Moved
    NAT
    1
    1
    402
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bob2022
      last edited by

      When reading the source code generates rules for npt, I find there is no additional rules to do nat reflections for npt, and the option "enable nat reflection for 1:1 nat" do not have any effects here.

      According to https://tools.ietf.org/id/draft-mrw-nat66-08.html#requirements, a npt translator should support hairpinning behavior. Maybe this can be a feature to add in the future.

      Also, I am not quite understand why there are 2 binat pf.conf rules for each npt entry.

      $natrules .= "binat on \${$natif} inet6 from {$srcaddr} to any -> {$dstaddr}\n";
$natrules .= "binat on \${$natif} inet6 from any to {$dstaddr} -> {$srcaddr}\n";

      According to the example in the manual of pf.conf, one binat clause should be enough

       # BINAT
 # Translate outgoing packets' source address (any protocol).
 # Translate incoming packets' destination address to an internal machine
 # (bidirectional).
 binat on $ext_if from 10.1.2.150 to any -> $ext_if

      A brief look into the source code of opnsense seems also confirm my guest that the first binat is enough.
      After commenting out the second binat on my instance, everything works well.

      This is also mentioned in a post several years ago.

      Any help or clarification is appreciated!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.