Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Change in IPv6 NAT port forwarding behaviour in 25.07 versus 24.11

    Scheduled Pinned Locked Moved Firewalling
    2 Posts 2 Posters 25 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C Offline
      ChrisJenk
      last edited by

      NetGate 6100. I've been running 24.11 for ages. Today I upgraded to 25.07 and I have observed what seems to be an unexpected and surprising change in IPv6 NAT port forwarding.

      Requirement is to redirect incoming WAN traffic targeting:

      For IPv4, the firewalls WAN addresses on port 234 to an address on the firewall DMZ interface also on port 234.

      For IPv6, a GUA address in the firewalls DMZ <dmz_prefix>::123 on port 234 to a different address in the DMZ, <dmz_prefix>::124 also on port 234.

      Original setup which worked in 24.11

      Define NAT port forwarding for IPv4

      The NAT rule targets incoming IPv4 UDP traffic from any address or port which targets the firewall's WAN address on port 234 and redirects it to the target DMZ IPv4 address, <dmz_ipv4>, which is a private (10.x.x.x) address on a different firewall interface, on port 234.

      This NAT rule created a linked firewall rule on the WAN interface which allows incoming IPv4 UDP traffic targeting <dmz_ipv4> on port 234.

      Define NAT port forwarding for IPv6

      The NAT rule targets incoming IPv6 UDP traffic from any address or port which targets the DMZ address <dmz_prefix>::123 on port 234 and redirects it to the target DMZ IPv6 address, <dmz_prefix>::124 on port 234.

      This NAT rule created a linked firewall rule on the WAN interface which allows incoming IPv6 UDP traffic targeting <dmz_prefix>::123 on port 234.

      Under 24.11 this setup worked just fine and both types of traffic were redirected as they should be.

      Additional firewall rule needed in 25.07

      The above setup did not work after updating to 25.07. Incoming traffic targeting <dmz_prefix>::123 on port 234 was dropped not forwarded.

      I had to explicitly create an additional rule on the WAN interface allowing incoming IPv6 UDP traffic targeting <wan_prefix>::123 on port 234. Once this rule was in place things worked again.

      Is this change in behaviour deliberate / expected? If so is there some rationale as it seems to be a breaking change? Was the old behaviour perhaps a bug? I could not find anything matching this in the release notes.

      1 Reply Last reply Reply Quote 0
      • JKnottJ Offline
        JKnott
        last edited by

        Why are you talking about NAT with IPv6. The only reason for it was the address shortage in IPv4 and it also breaks some things. Please learn to do things properly with IPv6 and unlearn the bad habits from IPv4.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.