Project

General

Profile

Actions

Regression #11751

closed

Input validation prevents creating 1:1 NAT rules on IPsec

Added by Steve Wheeler over 3 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Viktor Gurov
Category:
Rules / NAT
Target version:
Start date:
03/29/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
21.05
Release Notes:
Default
Affected Version:
2.5.0
Affected Architecture:
All

Description

Additional input validation in the GUI in 21.02/2.5 prevents creating a 1:1 NAT rule on the IPSec interface because it expects an IP family and enc doesnot have one:

The following input errors were detected:

    The interface do not have address from the specified address family.

Should also read "interface does not have address".

This is an edge case because NAT is not expected to work on IPSec. However there are situation where us can work and did in pfSense < 2.5.
Specifically if the P2 in use carries 0.0.0.0/0 it will carry the NAT'd traffic still.

This only applies to 1:1 NAT

Tested in:

21.02.2-RC (arm64)
built on Mon Mar 29 03:04:00 EDT 2021
FreeBSD 12.2-STABLE


Files

211.diff (3.21 KB) 211.diff Viktor Gurov, 04/23/2021 12:12 AM
Actions #1

Updated by Viktor Gurov over 3 years ago

  • Tracker changed from Bug to Regression

fix also includes OpenVPN and L2TP VPN input validation:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/211

Actions #2

Updated by Jim Pingle over 3 years ago

  • Status changed from New to Pull Request Review
Actions #3

Updated by Steve Wheeler over 3 years ago

Tested here against 21.02 snapshot. Works as expected.

Actions #4

Updated by Alex Lost over 3 years ago

This bug quite ruined our environment.
Will be very greatfull for hotfix.

Actions #5

Updated by Fiden Galvez over 3 years ago

Hi Victor:
Please could you share again the fix, cause he link looks like it is dead.

Thank you

Actions #6

Updated by Viktor Gurov over 3 years ago

Fiden Galvez wrote:

Hi Victor:
Please could you share again the fix, cause he link looks like it is dead.

Actions #7

Updated by Jim Pingle over 3 years ago

  • Status changed from Pull Request Review to Feedback
  • Target version changed from CE-Next to 2.6.0

PR was merged yesterday.

Actions #8

Updated by Jim Pingle over 3 years ago

  • Plus Target Version set to 21.05
Actions #9

Updated by Jim Pingle over 3 years ago

Already in 21.05 branch.

Actions #10

Updated by Jim Pingle over 3 years ago

  • Subject changed from Input validation prevents 1:1 NAT rules on IPSec to Input validation prevents creating 1:1 NAT rules on IPsec
  • Category changed from Web Interface to Rules / NAT

Updating subject for release notes.

Actions #11

Updated by Massimiliano Cianelli over 3 years ago

Hi,

I've applied the patch to pfsense 2.5.1 (Using system patch) and 2.5.0 (manually) but I'm still unable to create a 1:1 NAT with aliases.

Regards

Actions #12

Updated by Viktor Gurov over 3 years ago

Jim Pingle wrote:

Already in 21.05 branch.

extra 2.6-only fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/253

Actions #13

Updated by Jim Pingle over 3 years ago

  • Target version changed from 2.6.0 to 2.5.2
Actions #14

Updated by Jim Pingle over 3 years ago

  • Status changed from Feedback to Closed
Actions #15

Updated by Renato Botelho over 3 years ago

  • Assignee set to Viktor Gurov
Actions

Also available in: Atom PDF