Change in IPv6 NAT port forwarding behaviour in 25.07 versus 24.11

ChrisJenk

NetGate 6100. I've been running 24.11 for ages. Today I upgraded to 25.07 and I have observed what seems to be an unexpected and surprising change in IPv6 NAT port forwarding.

Requirement is to redirect incoming WAN traffic targeting:

For IPv4, the firewalls WAN addresses on port 234 to an address on the firewall DMZ interface also on port 234.

For IPv6, a GUA address in the firewalls DMZ <dmz_prefix>::123 on port 234 to a different address in the DMZ, <dmz_prefix>::124 also on port 234.

Original setup which worked in 24.11

Define NAT port forwarding for IPv4

The NAT rule targets incoming IPv4 UDP traffic from any address or port which targets the firewall's WAN address on port 234 and redirects it to the target DMZ IPv4 address, <dmz_ipv4>, which is a private (10.x.x.x) address on a different firewall interface, on port 234.

This NAT rule created a linked firewall rule on the WAN interface which allows incoming IPv4 UDP traffic targeting <dmz_ipv4> on port 234.

Define NAT port forwarding for IPv6

The NAT rule targets incoming IPv6 UDP traffic from any address or port which targets the DMZ address <dmz_prefix>::123 on port 234 and redirects it to the target DMZ IPv6 address, <dmz_prefix>::124 on port 234.

This NAT rule created a linked firewall rule on the WAN interface which allows incoming IPv6 UDP traffic targeting <dmz_prefix>::123 on port 234.

Under 24.11 this setup worked just fine and both types of traffic were redirected as they should be.

Additional firewall rule needed in 25.07

The above setup did not work after updating to 25.07. Incoming traffic targeting <dmz_prefix>::123 on port 234 was dropped not forwarded.

I had to explicitly create an additional rule on the WAN interface allowing incoming IPv6 UDP traffic targeting <wan_prefix>::123 on port 234. Once this rule was in place things worked again.

Is this change in behaviour deliberate / expected? If so is there some rationale as it seems to be a breaking change? Was the old behaviour perhaps a bug? I could not find anything matching this in the release notes.

JKnott

Why are you talking about NAT with IPv6. The only reason for it was the address shortage in IPv4 and it also breaks some things. Please learn to do things properly with IPv6 and unlearn the bad habits from IPv4.

ChrisJenk

@JKnott Thanks you so much for your unhelpful and borderline rude reply.

I am well aware of what NAT is, why it was originally developed and how it has evolved. I always strive to 'do things properly' but sometimes one needs to do something a little out of the ordinary and that can occasionally mean adopting atypical patterns. This usage of NAT with IPv6 was a relatively short term measure until I could change some IPs and rejig some other stuff in order to 'do things properly'. That required some planning and care to minimise service downtime.

As I'm sure you are aware, nowadays there are many flavours of NAT, some specifically designed for IPv6 (NAT64 for example) and there are also legitimate use cases for regular NAT port forwarding with IPv6 (such as forcibly redirecting traffic for example).

My question stands; behaviour seems to have changed in 25.07 versus 24.11. I'd like to understand if this was deliberate or may represent a bug.

Bob.Dig

@ChrisJenk It doesn't make much sense to me what you(?) wrote in the start post. So I am with @JKnott on this one, better do it right in the first place before others have to explain to you how to do it "the old way".