Project

General

Profile

Actions

Regression #11805

closed

Port forward rules only function through the default gateway interface, ``reply-to`` does not work for Multi-WAN (CE Only)

Added by Jim Pingle over 3 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Urgent
Category:
Rules / NAT
Target version:
Start date:
04/14/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.5.1
Affected Architecture:
amd64

Description

Port forwards coming into the firewall from a non-default WAN are not working properly on CE version 2.5.1. This is similar to #11436 but now happening on CE only, not Plus 21.02.2.

Unlike before, there is no firewall log entry for the packet attempting to leave via the wrong path.

Packet capture on WAN2 shows the SYN arriving, but no response.

State table shows:

vmx3 tcp 127.0.0.1:22 (203.0.113.3:222) <- 172.21.32.79:60472       CLOSED:SYN_SENT
   [0 + 64240]  [2247652855 + 1]
   age 00:00:04, expires in 00:00:29, 3:5 pkts, 180:300 bytes, rule 158
   id: 0100000060774d99 creatorid: e2ca2a66

Rule 158 created the state, and it is:

@158(1617127544) pass in quick on vmx3 reply-to (vmx3 203.0.113.1) inet proto tcp from any to 127.0.0.1 port = ssh flags S/SA keep state label "USER_RULE: NAT Reply-to test WAN2" 
  [ Evaluations: 23443     Packets: 59        Bytes: 3540        States: 0     ]
  [ Inserted: pid 72469 State Creations: 4     ]

Contacting a service directly on WAN2, not via port forwarding, works.

Actions

Also available in: Atom PDF