Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Outbound NAT weirdness with 127.0.0.0/8 addresses.

    Scheduled Pinned Locked Moved NAT
    6 Posts 2 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kpa
      last edited by

      It seems that the automatic outbound NAT generates a rule for NATing traffic with 127.0.0.0/8 net as its source address. Is this really necessary? I've always thought that the way FreeBSD's routing code selects the source address for outgoing connections guarantees that the localnet addresses are never visible outside the host.

      This is on version 2.1.2-RELEASE i386.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        If a daemon binds specifically to only 127.0.0.1 then that NAT is necessary to get a packet out.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • K
          kpa
          last edited by

          I have trouble picturing a scenario where that would happen. If a service is listening only on localhost and it's reachable from outside there has to be an RDR that redirects the traffic to localhost and correct port. Wouldn't the RDR translation cause the return traffic to appear not from the localhost but from the interface where the incoming connection came from?

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            For that specific scenario, yes, but that's reply traffic – not traffic initiated by that daemon.

            Consider something like Squid or the DNS Forwarder where the client contacts the daemon and then the daemon makes another query to a remote service.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • K
              kpa
              last edited by

              Well yes you're right. If the daemon doesn't allow you to specify the outgoing interfaces separate to listening interfaces and you have to bind the daemon only to localhost then there's no other option. I was able to replicate this scenario using Unbound by specifying  localhost as both listening and outbound interfaces and without the outbound NAT rule for 127.0.0.0/8 the daemon couldn't send queries to the internet.

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                Yep. And for reasons like that, it's easier to keep the 127.0.0.0/8 NAT rule in place by default.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.