Input validation prevents creating 1:1 NAT rules on IPsec
Additional input validation in the GUI in 21.02/2.5 prevents creating a 1:1 NAT rule on the IPSec interface because it expects an IP family and enc doesnot have one:
The following input errors were detected: The interface do not have address from the specified address family.
Should also read "interface does not have address".
This is an edge case because NAT is not expected to work on IPSec. However there are situation where us can work and did in pfSense < 2.5.
Specifically if the P2 in use carries 0.0.0.0/0 it will carry the NAT'd traffic still.
This only applies to 1:1 NAT
21.02.2-RC (arm64) built on Mon Mar 29 03:04:00 EDT 2021 FreeBSD 12.2-STABLE
Updated by Viktor Gurov 4 months ago
- Tracker changed from Bug to Regression
fix also includes OpenVPN and L2TP VPN input validation:
Updated by Viktor Gurov 3 months ago
Jim Pingle wrote:
Already in 21.05 branch.
extra 2.6-only fix: