You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the solution you like
Please provide an option to change the NAT Type to Endpoint-Independent Filtering (as defined in rfc4787) instead of Address and Port-Dependent. OPNsense uses address and port-dependent filtering by default which maybe possibly has an extremely slight positive effect on security but breaks direct connectivity between device on the internet that are behind such NAT routers.
Examples of software where connectivity is degraded would be Tailscale, Nebula, ZeroTier, Gaming Consoles, SIP, WebRTC.
There is a freeBSD bug concerning the feature: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219803
but I'm not really sure if that has been merged. I guess in the age of v6 the ability to use UDP hole punching to establish direct connectivity without a public relay is getting less important with each passing year, but we still live in a world where v4 is very important and the current way OPNsense does NAT is very restrictive. It should be possible to enable a more permissive style of NAT. Many other routers use this and as fas as I can tell there is not a single incident in the entire world where this has ever caused an actual issue, any security downsides are just theoretical in nature.
A clear and concise description of what you want to happen
a global option either in the GUI or the console to change the NAT type from Address and Port-Dependent to Endpoint-Independent Filtering.
The text was updated successfully, but these errors were encountered:
Before you add a new report, we ask you kindly to acknowledge the following:
Describe the solution you like
Please provide an option to change the NAT Type to Endpoint-Independent Filtering (as defined in rfc4787) instead of Address and Port-Dependent. OPNsense uses address and port-dependent filtering by default which maybe possibly has an extremely slight positive effect on security but breaks direct connectivity between device on the internet that are behind such NAT routers.
Examples of software where connectivity is degraded would be Tailscale, Nebula, ZeroTier, Gaming Consoles, SIP, WebRTC.
There is a freeBSD bug concerning the feature: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219803
but I'm not really sure if that has been merged. I guess in the age of v6 the ability to use UDP hole punching to establish direct connectivity without a public relay is getting less important with each passing year, but we still live in a world where v4 is very important and the current way OPNsense does NAT is very restrictive. It should be possible to enable a more permissive style of NAT. Many other routers use this and as fas as I can tell there is not a single incident in the entire world where this has ever caused an actual issue, any security downsides are just theoretical in nature.
A clear and concise description of what you want to happen
a global option either in the GUI or the console to change the NAT type from Address and Port-Dependent to Endpoint-Independent Filtering.
The text was updated successfully, but these errors were encountered: