https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162021-06-11T10:05:28ZpfSense bugtrackerpfSense - Todo #12025: Add 1:1 Validation to Notify Someone They are 1:1 NAT'ing an Interface Addresshttps://redmine.pfsense.org/issues/12025?journal_id=544512021-06-11T10:05:28ZJim Pingle
<ul><li><strong>Priority</strong> changed from <i>Normal</i> to <i>Very Low</i></li><li><strong>Target version</strong> set to <i>Future</i></li></ul><p>We used to prevent that in the past and had numerous complaints. There are many ways someone can shoot themselves in the foot, and I don't think this is one we need to go out of our way to prevent or warn against.</p>
<p>There are unintended side effects for all kinds of NAT scenarios, but trying to find and warn about them all is going to be a never-ending battle. There wouldn't be an automatic way to detect this <em>before</em> the make the error, but only when listing the rules or editing the rules, and there is a good chance they miss it in the list or don't go back and edit the rule later.</p>
<p>It's already documented here: <a class="external" href="https://docs.netgate.com/pfsense/en/latest/nat/1-1.html#nat-on-the-wan-ip-aka-dmz-on-linksys">https://docs.netgate.com/pfsense/en/latest/nat/1-1.html#nat-on-the-wan-ip-aka-dmz-on-linksys</a> which is on the page users get if they click the help link while editing 1:1 NAT rules.</p>
<p>We don't have a facility for two-step confirmation after an input "error" to make the user confirm a choice, and technically this is not an error condition, so that kind of validation is not going to be viable.</p>
<p>We'd be burning a lot of development time and adding technical debt to prevent a relatively small number of misconfigurations, and it doesn't seem worth the effort.</p>
<p>At most we could add a note in the help below the field cautioning against using the "<interface> Address" macros or entering an interface IP address manually.</p>