Project

General

Profile

Actions

Bug #12132

closed

Port Fowards Using CARP VIP Form Validation on Source Broken

Added by Kris Phillips over 2 years ago. Updated over 2 years ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
07/15/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
Affected Architecture:
All

Description

With the interface address, you're able to define different port forward NATs on the same interface IP address and port to go to different internal hosts from different sources.

For example, this kind of rule works:

Port Forward Rule #1:

Source: Source A
Destination: WAN Address (or whatever interface IP)
Destination Port: SSH 22 (Service doesn't matter, but I'll use SSH as an example here)
Redirect Target IP: Inside Host A

Port Forward Rule #2:

Source: Source B
Destination: WAN Address (or whatever interface IP)
Destination Port: SSH 22 (Service doesn't matter, but I'll use SSH as an example here)
Redirect Target IP: Inside Host B

The firewall will match the rule based on source, forward on the traffic fine based on the source differently for different inside hosts.

However, if you change the Destination from "[Interface] address" such as "WAN Address" to a CARP VIP, when you go to save the second rule it will complain about it being a duplicate even though it has a different source. This appears to be a bug in the form validation where it thinks there is a duplicate even though the sources are different.

Tested on pfSense Plus 21.05


Files

BeforeSecondCARP.png (46.2 KB) BeforeSecondCARP.png Right Before Changing Second Rule to CARP VIP Kris Phillips, 07/16/2021 11:11 AM
ErrorWithTCPUDPCARP.png (121 KB) ErrorWithTCPUDPCARP.png Error when Applying Second Rule with TCP/UDP Kris Phillips, 07/16/2021 11:11 AM
WorkingTCPUDPWANAddress.png (48.3 KB) WorkingTCPUDPWANAddress.png Working with two rules and WAN Address Kris Phillips, 07/16/2021 11:11 AM
WorkingCARPVIP.png (46.5 KB) WorkingCARPVIP.png Working with TCP only and CARP Kris Phillips, 07/16/2021 11:11 AM
WorkingWANIP.png (47.9 KB) WorkingWANIP.png Working with TCP only and WAN Address Kris Phillips, 07/16/2021 11:11 AM
CARPVIPError21-05.mp4 (3.75 MB) CARPVIPError21-05.mp4 Kris Phillips, 07/16/2021 12:24 PM

Related issues

Is duplicate of Bug #11734: NAT rule overlap detection is inconsistentResolvedMarcos M03/26/2021

Actions
Actions #1

Updated by Kris Phillips over 2 years ago

Did additional testing today as I wasn't able to recreate this. I realized this only applies to TCP/UDP with different sources and destinations. If you JUST choose TCP or UDP, it's fine. See attached screenshots.

Actions #2

Updated by Viktor Gurov over 2 years ago

unable to reproduce on pfSense-2.6.0.a.20210716.0500 - works without issues

Actions #3

Updated by Kris Phillips over 2 years ago

Here is a screencast showing the issue on 21.05 of pfSense Plus

Actions #4

Updated by Kris Phillips over 2 years ago

Issue appears corrected with changeset 3736da7f0ffd73c0cd25b7118b3c4be2e1f0eab9 applied as a system patch. Should be in 21.09 as a fix.

Actions #5

Updated by Marcos M over 2 years ago

  • Status changed from New to Closed

Indeed this is a symptom of #11734. Consequently, the patch there resolves this symptom in an unintentional way. I've submitted a proper fix for it.

It seems I'm not able to mark this as a duplicate so I'll just close it out instead.

Actions #6

Updated by Jim Pingle over 2 years ago

  • Category changed from Web Interface to Rules / NAT
  • Status changed from Closed to Duplicate
  • Affected Plus Version deleted (21.05)
Actions #7

Updated by Jim Pingle over 2 years ago

  • Project changed from pfSense Plus to pfSense
  • Category changed from Rules / NAT to Rules / NAT
Actions #8

Updated by Jim Pingle over 2 years ago

  • Is duplicate of Bug #11734: NAT rule overlap detection is inconsistent added
Actions

Also available in: Atom PDF