Project

General

Profile

Actions

Regression #11751

closed

Input validation prevents creating 1:1 NAT rules on IPsec

Added by Steve Wheeler 4 months ago. Updated about 2 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Rules / NAT
Target version:
Start date:
03/29/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
21.05
Release Notes:
Default
Affected Version:
2.5.0
Affected Architecture:
All

Description

Additional input validation in the GUI in 21.02/2.5 prevents creating a 1:1 NAT rule on the IPSec interface because it expects an IP family and enc doesnot have one:

The following input errors were detected:

    The interface do not have address from the specified address family.

Should also read "interface does not have address".

This is an edge case because NAT is not expected to work on IPSec. However there are situation where us can work and did in pfSense < 2.5.
Specifically if the P2 in use carries 0.0.0.0/0 it will carry the NAT'd traffic still.

This only applies to 1:1 NAT

Tested in:

21.02.2-RC (arm64)
built on Mon Mar 29 03:04:00 EDT 2021
FreeBSD 12.2-STABLE


Files

211.diff (3.21 KB) 211.diff Viktor Gurov, 04/23/2021 12:12 AM
Actions #1

Updated by Viktor Gurov 4 months ago

  • Tracker changed from Bug to Regression

fix also includes OpenVPN and L2TP VPN input validation:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/211

Actions #2

Updated by Jim Pingle 4 months ago

  • Status changed from New to Pull Request Review
Actions #3

Updated by Steve Wheeler 4 months ago

Tested here against 21.02 snapshot. Works as expected.

Actions #4

Updated by Alex Lost 4 months ago

This bug quite ruined our environment.
Will be very greatfull for hotfix.

Actions #5

Updated by Fiden Galvez 3 months ago

Hi Victor:
Please could you share again the fix, cause he link looks like it is dead.

Thank you

Actions #6

Updated by Viktor Gurov 3 months ago

Fiden Galvez wrote:

Hi Victor:
Please could you share again the fix, cause he link looks like it is dead.

Actions #7

Updated by Jim Pingle 3 months ago

  • Status changed from Pull Request Review to Feedback
  • Target version changed from CE-Next to 2.6.0

PR was merged yesterday.

Actions #8

Updated by Jim Pingle 3 months ago

  • Plus Target Version set to 21.05
Actions #9

Updated by Jim Pingle 3 months ago

Already in 21.05 branch.

Actions #10

Updated by Jim Pingle 3 months ago

  • Subject changed from Input validation prevents 1:1 NAT rules on IPSec to Input validation prevents creating 1:1 NAT rules on IPsec
  • Category changed from Web Interface to Rules / NAT

Updating subject for release notes.

Actions #11

Updated by Massimiliano Cianelli 3 months ago

Hi,

I've applied the patch to pfsense 2.5.1 (Using system patch) and 2.5.0 (manually) but I'm still unable to create a 1:1 NAT with aliases.

Regards

Actions #12

Updated by Viktor Gurov 3 months ago

Jim Pingle wrote:

Already in 21.05 branch.

extra 2.6-only fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/253

Actions #13

Updated by Jim Pingle 2 months ago

  • Target version changed from 2.6.0 to 2.5.2
Actions #14

Updated by Jim Pingle 2 months ago

  • Status changed from Feedback to Closed
Actions #15

Updated by Renato Botelho about 2 months ago

  • Assignee set to Viktor Gurov
Actions

Also available in: Atom PDF