Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Network Prefix Translation (NPt) prefix translation bug

    Scheduled Pinned Locked Moved IPv6
    3 Posts 2 Posters 479 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      machbot
      last edited by machbot

      I think I found a bug that I can reliably reproduce, but I'm not quite sure what I'm looking at, so I haven't opened a redmine bug report yet. Any additional eyes to look over this would be helpful.

      Firewall is running pfSense CE 2.7.2.

      Internet ping host: 2001:db8:10a:23a7::1
      LAN1 static IPv6: 2001:db8:2:1::/64
      LAN2 static IPv6: 2001:db8:2:2::/64
      LAN3 (ISP delegated prefix): 2001:db8:1:1::/64

      Here's the firewall rule on the WAN interface allowing inbound ICMP6 echo request to all IPv6 endpoints.

      1c39898e-f02e-4e84-9525-9e255e264bb4-image.png

      Pardon the following excel tables, I've only done it to sanitise the prefixes, but the main gist is still there.

      What I was doing:

      pinging my PC in LAN1 from the internet ping host outside my network using the ISP delegated prefix: 2001:db8:1:1:58bd:bbd3:cd6d:3909

      When the LAN1 NPt mapping entry is at the very top, the ping packets can reach my PC.

      8d590279-0d11-4c14-afba-7ce2ac81bbe1-image.png
      State table filtered for the allow ICMP rule
      a1e14dc9-e020-4128-b7cf-d8d9377e6713-image.png

      When the LAN2 NPt mapping entry is moved before LAN1's entry, the ping packets no longer reaches my PC.

      4b5f8850-8707-4b04-82b2-95fbf7dc7eb1-image.png
      State table filtered for the allow ICMP rule
      450b480f-1f25-4a77-be3b-eef0f5e6cb66-image.png

      What I think is happening, is unsolicited inbound traffic with the ISP prefix (external prefix) is always translated to the internal prefix specified in the top most entry of the NPt mapping table, rather than the prefix for the proper subnet.

      So far I've only tried this with ICMP6 Echo Request packets, so I can't say for certain it affects other types of packets as well.

      Edit: Opened a redmine ticket

      Edit 2: Not a bug.

      Bob.DigB 1 Reply Last reply Reply Quote 0
      • Bob.DigB
        Bob.Dig LAYER 8 @machbot
        last edited by Bob.Dig

        @machbot That is true for everything, not only ping. NPt doesn't solve this problem (unsolicited inbound traffic) on pfSense.

        M 1 Reply Last reply Reply Quote 1
        • M
          machbot @Bob.Dig
          last edited by

          @Bob-Dig said in Network Prefix Translation (NPt) prefix translation bug:

          That is true for everything, not only ping.

          It's good to know that the behavior isn't only for ICMP6 packets.

          @Bob-Dig said in Network Prefix Translation (NPt) prefix translation bug:

          NPt doesn't solve this problem (unsolicited inbound traffic) on pfSense.

          Good to know. Perhaps I'll open a bug report on redmine for this issue, see what the devs have to say.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.