Project

General

Profile

Actions

Bug #12319

closed

NAT reflection does not work for IPv6 port forwarding rules when configured for NAT+Proxy mode

Added by Viktor Gurov 9 months ago. Updated 3 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Rules / NAT
Target version:
Start date:
Due date:
% Done:

50%

Estimated time:
Plus Target Version:
22.05
Release Notes:
Default
Affected Version:
2.6.0
Affected Architecture:

Description

Invalid rules created:

# NAT Inbound Redirects
rdr pass on vtnet0 inet proto tcp from any to 192.168.3.4 port 110 -> 192.168.3.42 port 443
rdr on vtnet0 inet6 proto tcp from any to fc00:3::4 port 110 -> fc00:123::5555 port 443
# Reflection redirects
rdr on { vtnet2  enc0 openvpn WireGuard } proto tcp from any to fc00:3::4 port 110 tag PFREFLECT -> 127.0.0.1 port 19000

Aug 31 15:46:53 pf4 php-fpm[1161]: /rc.filter_configure_sync: New alert found: There were error(s) loading the rules:
/tmp/rules.debug:185: no translation address with matching address family found. - The line in question reads [185]:
rdr on { vtnet2  enc0 openvpn WireGuard } proto tcp from any to fc00:3::4 port 110 tag PFREFLECT -> 127.0.0.1 port 19000

/var/etc/xinetd.conf:

service 19000-tcp
{
    type = unlisted
    bind = 127.0.0.1
    port = 19000
    socket_type = stream
    protocol = tcp
    wait = no
    user = nobody
    server = /usr/bin/nc
    server_args = -w 2000 fc00:123::5555 443
}

Actions #1

Updated by Jim Pingle 9 months ago

I'm not sure we should even try supporting that mode for IPv6, it's bad enough for IPv4.

I'm inclined to have the backend code skip any IPv6 in that mode, and drop a note in the GUI on the reflection options stating that isn't supported for IPv6. Maybe toss an input validation error if someone picks that mode specifically on a port forward with IPv6 addresses.

Actions #3

Updated by Jim Pingle 9 months ago

  • Status changed from New to Pull Request Review
  • Target version set to CE-Next
  • Plus Target Version set to Plus-Next
Actions #4

Updated by Viktor Gurov 7 months ago

  • Status changed from Pull Request Review to Feedback
  • % Done changed from 0 to 100
Actions #5

Updated by Jim Pingle 7 months ago

  • Target version changed from CE-Next to 2.6.0
  • Plus Target Version changed from Plus-Next to 22.01
Actions #6

Updated by Jim Pingle 7 months ago

  • Subject changed from IPv6 Port Forwarding rules doesn't work in NAT+Proxy mode to NAT reflection does not work for IPv6 port forwarding rules when configured for NAT+Proxy mode

Updating subject for release notes.

Actions #7

Updated by Danilo Zrenjanin 3 months ago

Tested on the:

2.6.0-RC (amd64)
built on Mon Jan 24 18:44:12 UTC 2022
FreeBSD 12.3-STABLE

It works only if you choose NAT + Proxy on the port forward configuration page. It should check the Network Address Translation setup under the System/Advanced/Firewall & NAT page too.

Actions #8

Updated by Viktor Gurov 3 months ago

  • Status changed from Feedback to New
  • Assignee set to Viktor Gurov
  • Target version changed from 2.6.0 to 2.7.0
  • % Done changed from 100 to 50
  • Plus Target Version changed from 22.01 to 22.05
  • Affected Version changed from 2.5.2 to 2.6.0
Actions #9

Updated by Viktor Gurov 3 months ago

Danilo Zrenjanin wrote in #note-7:

Tested on the:
[...]

It works only if you choose NAT + Proxy on the port forward configuration page. It should check the Network Address Translation setup under the System/Advanced/Firewall & NAT page too.

fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/611

Actions #10

Updated by Jim Pingle 3 months ago

  • Status changed from New to Pull Request Review
Actions #11

Updated by Viktor Gurov 3 months ago

  • Status changed from Pull Request Review to Feedback

Merged

Actions #12

Updated by Danilo Zrenjanin 3 months ago

  • Status changed from Feedback to Resolved

Tested:

2.7.0-DEVELOPMENT (amd64)
built on Wed Feb 16 06:17:48 UTC 2022
FreeBSD 12.3-STABLE

Works fine. I am marking the ticket resolved.

Actions

Also available in: Atom PDF