Bug #12023: Mobile IPsec NAT/BINAT entries missing from firewall rules - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Plus - All Open Issues
23.09.1 Target - All Closed Issues
23.09.1 Target - All Open Issues
24.03 Plus - All Closed Issues
24.03 Plus - All Open Issues
24.03 Plus - Feedback Issues
24.03 Plus - Needs Attention/Work
24.03 Plus - New/Confirmed/In Progress Issues
24.03 Plus - Pull Request Review
24.03 Plus - Waiting on Merge
24.03 Target - All Closed Issues
24.03 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Bug #12023

closed

Mobile IPsec NAT/BINAT entries missing from firewall rules

Added by Chris Linstruth almost 3 years ago. Updated over 2 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Viktor Gurov

Category:

IPsec

Target version:

2.6.0

Start date:

06/10/2021

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

22.01

Release Notes:

Default

Affected Version:

Affected Architecture:

Description

Adding a NAT or BINAT to a mobile IPsec configuration does not work.

The nat rules are not added to the pf configuration.

This is true for 1:1 and Many:1

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Jim Pingle almost 3 years ago

Target version set to 2.6.0
Plus Target Version set to 21.09

Noting here what I mentioned on Slack:

This is likely due to the fact that the "remote" network on mobile P2s is from the mobile settings and not defined inside the P2.
The logic building the 1:1 NAT rules may be skipping these either because the remote is empty, or because it's mobile, or both.
This could work for well-defined mobile address pools (maybe not per-user pools, though), but definitely isn't viable for RADIUS-assigned addresses since there is no way for the firewall to know what those are.

Actions

Copy link

Updated by Chris Linstruth almost 3 years ago

Documenting a possible workaround:

If you have the following Mobile IPsec configuration:

Mobile Virtual Address Pool: 172.16.17.0/24
Mobile Phase 2 Local Network: 192.168.1.0/24
Mobile Phase 2 BINAT Network: 10.11.12.0/24

You can leave that configuration in IPsec (to make the traffic interesting to IPsec) and add the following 1:1 NAT entry in Firewall > NAT, 1:1

Interface: IPsec
External Subnet IP: 10.11.12.0
Internal network: 192.168.1.0/24
Destination network: 172.16.17.0/24

That will give you this in the rule set:

binat on enc0 inet from 192.168.1.0/24 to 172.16.17.0/24 -> 10.11.12.0/24

Actions

Copy link

Updated by Viktor Gurov almost 3 years ago

fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/283

Actions

Copy link

Updated by Jim Pingle almost 3 years ago

Status changed from New to Pull Request Review

Actions

Copy link

Updated by Renato Botelho almost 3 years ago

Status changed from Pull Request Review to Feedback
Assignee set to Viktor Gurov

PR has been merged. Thanks!

Actions

Copy link

Updated by Viktor Gurov almost 3 years ago

% Done changed from 0 to 100

Applied in changeset 99f957fe21d514f9b2bb945fb07c0277df210d03.

Actions

Copy link

Updated by Danilo Zrenjanin over 2 years ago

Status changed from Feedback to Resolved

Tested on the:

2.6.0-DEVELOPMENT (amd64)
built on Mon Jul 26 14:27:42 EDT 2021
FreeBSD 12.2-STABLE

Works for both 1:1 and Many:1.

Ticket resolved.

Actions

Copy link

Updated by Jim Pingle over 2 years ago

Subject changed from Mobile IPsec NAT/BINAT rules not inserted into pf rule set to Mobile IPsec NAT/BINAT entries missing from firewall rules

Updating subject for release notes.

Actions

Copy link

Updated by Jim Pingle over 2 years ago

Plus Target Version changed from 21.09 to 22.01

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #12023

Mobile IPsec NAT/BINAT entries missing from firewall rules

Updated by Jim Pingle almost 3 years ago

Updated by Chris Linstruth almost 3 years ago

Updated by Viktor Gurov almost 3 years ago

Updated by Jim Pingle almost 3 years ago

Updated by Renato Botelho almost 3 years ago

Updated by Viktor Gurov almost 3 years ago

Updated by Danilo Zrenjanin over 2 years ago

Updated by Jim Pingle over 2 years ago

Updated by Jim Pingle over 2 years ago