Bug #12132
closedPort Fowards Using CARP VIP Form Validation on Source Broken
0%
Description
With the interface address, you're able to define different port forward NATs on the same interface IP address and port to go to different internal hosts from different sources.
For example, this kind of rule works:
Port Forward Rule #1:
Source: Source A
Destination: WAN Address (or whatever interface IP)
Destination Port: SSH 22 (Service doesn't matter, but I'll use SSH as an example here)
Redirect Target IP: Inside Host A
Port Forward Rule #2:
Source: Source B
Destination: WAN Address (or whatever interface IP)
Destination Port: SSH 22 (Service doesn't matter, but I'll use SSH as an example here)
Redirect Target IP: Inside Host B
The firewall will match the rule based on source, forward on the traffic fine based on the source differently for different inside hosts.
However, if you change the Destination from "[Interface] address" such as "WAN Address" to a CARP VIP, when you go to save the second rule it will complain about it being a duplicate even though it has a different source. This appears to be a bug in the form validation where it thinks there is a duplicate even though the sources are different.
Tested on pfSense Plus 21.05
Files
Related issues
Updated by Kris Phillips over 3 years ago
- File ErrorWithTCPUDPCARP.png ErrorWithTCPUDPCARP.png added
- File BeforeSecondCARP.png BeforeSecondCARP.png added
- File WorkingTCPUDPWANAddress.png WorkingTCPUDPWANAddress.png added
- File WorkingCARPVIP.png WorkingCARPVIP.png added
- File WorkingWANIP.png WorkingWANIP.png added
Did additional testing today as I wasn't able to recreate this. I realized this only applies to TCP/UDP with different sources and destinations. If you JUST choose TCP or UDP, it's fine. See attached screenshots.
Updated by Viktor Gurov over 3 years ago
unable to reproduce on pfSense-2.6.0.a.20210716.0500 - works without issues
Updated by Kris Phillips over 3 years ago
- File CARPVIPError21-05.mp4 CARPVIPError21-05.mp4 added
Here is a screencast showing the issue on 21.05 of pfSense Plus
Updated by Kris Phillips over 3 years ago
Issue appears corrected with changeset 3736da7f0ffd73c0cd25b7118b3c4be2e1f0eab9 applied as a system patch. Should be in 21.09 as a fix.
Updated by Marcos M over 3 years ago
- Status changed from New to Closed
Indeed this is a symptom of #11734. Consequently, the patch there resolves this symptom in an unintentional way. I've submitted a proper fix for it.
It seems I'm not able to mark this as a duplicate so I'll just close it out instead.
Updated by Jim Pingle over 3 years ago
- Category changed from Web Interface to Rules / NAT
- Status changed from Closed to Duplicate
- Affected Plus Version deleted (
21.05)
Updated by Jim Pingle over 3 years ago
- Project changed from pfSense Plus to pfSense
- Category changed from Rules / NAT to Rules / NAT
Updated by Jim Pingle over 3 years ago
- Is duplicate of Bug #11734: NAT rule overlap detection is inconsistent added