Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Why is there an automatic Outbound NAT for ::1/128

    Scheduled Pinned Locked Moved NAT
    8 Posts 3 Posters 4.4k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I Offline
      IonutIT
      last edited by

      Just noticed recently that in the Outbound NAT page, if you use Automatic NAT or Hybrid NAT, there's an automatic NAT rule for ::1/128.

      If you have IPv6 working and the router has a GUA IPv6 address what is the point of this NAT rule?

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ Online
        johnpoz LAYER 8 Global Moderator @IonutIT
        last edited by

        @IonutIT because ::1/128 is the localhost address.. just like you have an outbound nat for 127.0.0.0/8 which is the localhost IPv4 address range, normally local host would be 127.0.0.1, but really anything 127.x can be used as localhost address. With ipv6 the localhost range is just /128

        if you source traffic from your localhost address it needs to be natted to the IP of the interface its leaving on. For example I use localhost for outgoing interface in unbound. Which gets natted to wan IP when unbound looks up something

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

        I 1 Reply Last reply Reply Quote 0
        • I Offline
          IonutIT @johnpoz
          last edited by IonutIT

          @johnpoz yeah, that makes sense. I don't know why seeing IPv6 there triggered my thinking "what's the point if you have GUA addresses", but makes sense localhost needs NAT to work.

          Can I ask why you use localhost for outhgoing interface in unbound instead of the WAN interface? What are the benefits?

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ Online
            johnpoz LAYER 8 Global Moderator @IonutIT
            last edited by

            @IonutIT localhost is always going to be up to bind to.. but possible that my wan or say a vpn interface is not up when unbound restarts. If interface is not up can not bind to it.. So helps to make sure unbound starts and binds on interface to use to do outgoing queries.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

            1 Reply Last reply Reply Quote 1
            • luckman212L Offline
              luckman212 LAYER 8
              last edited by luckman212

              Followup question to this:

              • I use Manual Outbound NAT mode
              • My WAN connection does NOT have native IPv6
              • I use an HE.net GIF tunnel for IPv6
              • Do I need an Outbound NAT rule that contains ::1/128 mapped to my HENET tunnel interface? e.g.

              a6ea16a3-21d6-43d7-80ec-5524866eba1e-image.png

              My testing seems to indicate "no" but since pfSense does add this rule by default, I am questioning this. No matter what combination of outbound NAT rules I tried, the commands below always fail (run directly from pfSense console):

              # curl --interface lo0 https://myipv6.addr.tools
curl: (7) Failed to connect to myipv6.addr.tools port 443 after 2 ms: Could not connect to server

              # curl --interface ::1 'https://myipv6.addr.tools'
curl: (7) Failed to connect to myipv6.addr.tools port 443 after 11 ms: Could not connect to server

              However, removing the --interface flag allows it to work:

              # curl https://myipv6.addr.tools
2001:470:xxxx:22c::2

              I also failed to capture these packets for debugging with tcpdump. Not sure if they even can be captured? I tried:

              • tcpdump -vv -ni lo0 dst port 80
              • tcpdump -vv -ni gif0 dst port 80 (tunnel iface)
              • tcpdump -vv -ni ix0 dst port 80 (WAN iface)

              No matter what, I got zilch.

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ Online
                johnpoz LAYER 8 Global Moderator @luckman212
                last edited by

                @luckman212 said in Why is there an automatic Outbound NAT for ::1/128:

                I use Manual Outbound NAT mode

                Why would be my question?

                You understand that is just the ipv6 version of of 127.0.0.1 right. As to what would you be natting the ipv6 loopback too in your manual setup? I use he tunnel as well, which is connected over my wan - but my wan has no IPv6 address on it that you could nat too, it only has a link-local ipv6 address.

                It would do nothing if there is not ipv6 to nat too. If you converted to manual and it brought that over - its just prob just how they convert over from auto to manual.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                luckman212L 1 Reply Last reply Reply Quote 0
                • luckman212L Offline
                  luckman212 LAYER 8 @johnpoz
                  last edited by

                  @johnpoz said

                  Why would be my question?

                  I like everything to be explicitly defined. When I initially tried auto/hybrid modes, it was adding NAT rules for some site to site WG tunnels that I already had static routes for, so I opted to use manual. There might have been other reasons that I can't remember, I've been using manual AON for years.

                  You understand that is just the ipv6 version of of 127.0.0.1

                  yes!

                  what would you be natting the ipv6 loopback too in your manual setup?

                  I assume I would NAT it to the routable V6 interface IP assigned to my ix0 LAN e.g. 2001:470:beef:230::1

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • johnpozJ Online
                    johnpoz LAYER 8 Global Moderator @luckman212
                    last edited by

                    @luckman212 said in Why is there an automatic Outbound NAT for ::1/128:

                    NAT it to the routable V6 interface IP assigned to my ix0 LAN

                    And why would it do that, you have it set on what your calling wan6

                    it was adding NAT rules for some site to site WG tunnels that I already had static routes for

                    No it wasn't.. Unless you set it like that.. Example - I have an wg interface, only traffic that gets natted to that is traffic I route out that interface

                    nat.jpg

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.