Bug #12319
closed
NAT reflection does not work for IPv6 port forwarding rules when configured for NAT+Proxy mode
50%
Description
Invalid rules created:
# NAT Inbound Redirects
rdr pass on vtnet0 inet proto tcp from any to 192.168.3.4 port 110 -> 192.168.3.42 port 443
rdr on vtnet0 inet6 proto tcp from any to fc00:3::4 port 110 -> fc00:123::5555 port 443
# Reflection redirects
rdr on { vtnet2 enc0 openvpn WireGuard } proto tcp from any to fc00:3::4 port 110 tag PFREFLECT -> 127.0.0.1 port 19000
Aug 31 15:46:53 pf4 php-fpm[1161]: /rc.filter_configure_sync: New alert found: There were error(s) loading the rules:
/tmp/rules.debug:185: no translation address with matching address family found. - The line in question reads [185]:
rdr on { vtnet2 enc0 openvpn WireGuard } proto tcp from any to fc00:3::4 port 110 tag PFREFLECT -> 127.0.0.1 port 19000
/var/etc/xinetd.conf:
service 19000-tcp
{
type = unlisted
bind = 127.0.0.1
port = 19000
socket_type = stream
protocol = tcp
wait = no
user = nobody
server = /usr/bin/nc
server_args = -w 2000 fc00:123::5555 443
}
Updated by Jim Pingle about 3 years ago
I'm not sure we should even try supporting that mode for IPv6, it's bad enough for IPv4.
I'm inclined to have the backend code skip any IPv6 in that mode, and drop a note in the GUI on the reflection options stating that isn't supported for IPv6. Maybe toss an input validation error if someone picks that mode specifically on a port forward with IPv6 addresses.
Updated by Viktor Gurov about 3 years ago
Updated by Jim Pingle about 3 years ago
- Status changed from New to Pull Request Review
- Target version set to CE-Next
- Plus Target Version set to Plus-Next
Updated by Viktor Gurov about 3 years ago
- Status changed from Pull Request Review to Feedback
- % Done changed from 0 to 100
Applied in changeset 1ab2ec0a269f03dd7e865d21787331a7a2cb6f3f.
Updated by Jim Pingle about 3 years ago
- Target version changed from CE-Next to 2.6.0
- Plus Target Version changed from Plus-Next to 22.01
Updated by Jim Pingle about 3 years ago
- Subject changed from IPv6 Port Forwarding rules doesn't work in NAT+Proxy mode to NAT reflection does not work for IPv6 port forwarding rules when configured for NAT+Proxy mode
Updating subject for release notes.
Updated by Danilo Zrenjanin almost 3 years ago
Tested on the:
2.6.0-RC (amd64) built on Mon Jan 24 18:44:12 UTC 2022 FreeBSD 12.3-STABLE
It works only if you choose NAT + Proxy on the port forward configuration page. It should check the Network Address Translation setup under the System/Advanced/Firewall & NAT page too.
Updated by Viktor Gurov almost 3 years ago
- Status changed from Feedback to New
- Assignee set to Viktor Gurov
- Target version changed from 2.6.0 to 2.7.0
- % Done changed from 100 to 50
- Plus Target Version changed from 22.01 to 22.05
- Affected Version changed from 2.5.2 to 2.6.0
Updated by Viktor Gurov almost 3 years ago
Danilo Zrenjanin wrote in #note-7:
Tested on the:
[...]It works only if you choose NAT + Proxy on the port forward configuration page. It should check the Network Address Translation setup under the System/Advanced/Firewall & NAT page too.
fix:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/611
Updated by Jim Pingle almost 3 years ago
- Status changed from New to Pull Request Review
Updated by Viktor Gurov almost 3 years ago
- Status changed from Pull Request Review to Feedback
Merged
Updated by Danilo Zrenjanin almost 3 years ago
- Status changed from Feedback to Resolved
Tested:
2.7.0-DEVELOPMENT (amd64) built on Wed Feb 16 06:17:48 UTC 2022 FreeBSD 12.3-STABLE
Works fine. I am marking the ticket resolved.