https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162021-03-26T17:35:35ZpfSense bugtrackerpfSense - Bug #11734: NAT rule overlap detection is inconsistenthttps://redmine.pfsense.org/issues/11734?journal_id=526962021-03-26T17:35:35ZMarcos M
<ul><li><strong>Assignee</strong> set to <i>Marcos M</i></li></ul><p><a class="external" href="https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/209">https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/209</a></p> pfSense - Bug #11734: NAT rule overlap detection is inconsistenthttps://redmine.pfsense.org/issues/11734?journal_id=527362021-03-29T08:34:33ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Rejected</i></li></ul><p>Protocol doesn't overlap. You can have separate port forward rules for TCP and for UDP on the same port ranges which do not conflict.</p>
<p>Plus, that overlap check isn't for looking at network addresses, it's only making sure that port ranges do not overlap.</p> pfSense - Bug #11734: NAT rule overlap detection is inconsistenthttps://redmine.pfsense.org/issues/11734?journal_id=527532021-03-29T14:03:33ZMarcos M
<ul></ul><p>I've added some further details on it. At the least, there is a typo that should be fixed.</p> pfSense - Bug #11734: NAT rule overlap detection is inconsistenthttps://redmine.pfsense.org/issues/11734?journal_id=528202021-04-01T14:48:16ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Rejected</i> to <i>Pull Request Review</i></li><li><strong>Target version</strong> set to <i>CE-Next</i></li></ul> pfSense - Bug #11734: NAT rule overlap detection is inconsistenthttps://redmine.pfsense.org/issues/11734?journal_id=539642021-05-24T20:59:03ZMarcos M
<ul></ul><p>Adding more details here; currently:</p>
<p>It's possible for rules with overlapping ports to be saved when the destination type is set to <code>network</code> because <code>$natent['destination']['address']</code> can have a value of <code>10.0.0.0/24</code> while <code>post['dst']</code> has a value of <code>10.0.0.0</code> (the mask is on a separate variable <code>post['dstmask']</code>).</p>
<p>There is a typo <code>$natent['proto']</code>, which means the <code>!=</code> operator checks will always return true because <code>null</code> will never equal a defined variable. Hence, unless the protocol is set to <code>TCP/UDP</code>, the overlap check below this statement will never run.</p> pfSense - Bug #11734: NAT rule overlap detection is inconsistenthttps://redmine.pfsense.org/issues/11734?journal_id=539752021-05-25T07:56:02ZJim Pingle
<ul><li><strong>Plus Target Version</strong> set to <i>21.09</i></li></ul> pfSense - Bug #11734: NAT rule overlap detection is inconsistenthttps://redmine.pfsense.org/issues/11734?journal_id=548592021-07-01T10:02:51ZRenato Botelhorenato@netgate.com
<ul><li><strong>Status</strong> changed from <i>Pull Request Review</i> to <i>Feedback</i></li></ul><p>PR has been merged. Thanks!</p> pfSense - Bug #11734: NAT rule overlap detection is inconsistenthttps://redmine.pfsense.org/issues/11734?journal_id=548622021-07-01T10:10:14ZMarcos M
<ul><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>Applied in changeset <a class="changeset" title="Correct NAT rule overlap detection. Fixes #11734" href="https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/3736da7f0ffd73c0cd25b7118b3c4be2e1f0eab9">3736da7f0ffd73c0cd25b7118b3c4be2e1f0eab9</a>.</p> pfSense - Bug #11734: NAT rule overlap detection is inconsistenthttps://redmine.pfsense.org/issues/11734?journal_id=550972021-07-16T23:29:09ZMarcos M
<ul></ul><p>There's still an issue when the selected source or destination is a special network (e.g. L2TP Clients), as well as a missing <code>/</code> in the checks. I have a fix ready to submit.</p> pfSense - Bug #11734: NAT rule overlap detection is inconsistenthttps://redmine.pfsense.org/issues/11734?journal_id=551032021-07-17T22:41:09ZKris Phillips
<ul></ul><p>Potentially related issue with source traffic with video demonstrating the issue: <a class="external" href="https://redmine.pfsense.org/issues/12132">https://redmine.pfsense.org/issues/12132</a></p> pfSense - Bug #11734: NAT rule overlap detection is inconsistenthttps://redmine.pfsense.org/issues/11734?journal_id=551052021-07-17T22:48:58ZKris Phillips
<ul></ul><p>Tested the changeset and the issue for 12132 and this redmine appears to be resolved.</p> pfSense - Bug #11734: NAT rule overlap detection is inconsistenthttps://redmine.pfsense.org/issues/11734?journal_id=551102021-07-18T10:55:19ZMarcos M
<ul></ul><p><a class="external" href="https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/301">https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/301</a></p> pfSense - Bug #11734: NAT rule overlap detection is inconsistenthttps://redmine.pfsense.org/issues/11734?journal_id=551312021-07-19T09:07:19ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Pull Request Review</i></li></ul> pfSense - Bug #11734: NAT rule overlap detection is inconsistenthttps://redmine.pfsense.org/issues/11734?journal_id=551412021-07-19T11:00:00ZJim Pingle
<ul><li><strong>Has duplicate</strong> <i><a class="issue tracker-1 status-11 priority-4 priority-default closed" href="/issues/12132">Bug #12132</a>: Port Fowards Using CARP VIP Form Validation on Source Broken</i> added</li></ul> pfSense - Bug #11734: NAT rule overlap detection is inconsistenthttps://redmine.pfsense.org/issues/11734?journal_id=561192021-08-31T11:48:04ZJim Pingle
<ul><li><strong>Target version</strong> changed from <i>CE-Next</i> to <i>2.6.0</i></li></ul> pfSense - Bug #11734: NAT rule overlap detection is inconsistenthttps://redmine.pfsense.org/issues/11734?journal_id=563142021-09-10T10:56:20ZJim Pingle
<ul><li><strong>Related to</strong> <i><a class="issue tracker-1 status-3 priority-4 priority-default closed" href="/issues/12361">Bug #12361</a>: NAT rule overlap detection does not check special networks</i> added</li></ul> pfSense - Bug #11734: NAT rule overlap detection is inconsistenthttps://redmine.pfsense.org/issues/11734?journal_id=563162021-09-10T10:57:02ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Pull Request Review</i> to <i>Resolved</i></li></ul><p>Marking resolved since the original part was already tested. I moved the special networks issue over to <a class="issue tracker-1 status-3 priority-4 priority-default closed" title="Bug: NAT rule overlap detection does not check special networks (Resolved)" href="https://redmine.pfsense.org/issues/12361">#12361</a> as it needs to wait until after 21.09.</p> pfSense - Bug #11734: NAT rule overlap detection is inconsistenthttps://redmine.pfsense.org/issues/11734?journal_id=571262021-10-27T11:59:56ZJim Pingle
<ul><li><strong>Plus Target Version</strong> changed from <i>21.09</i> to <i>22.01</i></li></ul>