Project

General

Profile

Actions

Bug #12452

closed

Port forward rules are not created for special networks (pppoe, openvpn)

Added by Viktor Gurov 7 months ago. Updated 4 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Rules / NAT
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.01
Release Notes:
Default
Affected Version:
2.5.2
Affected Architecture:

Description

https://forum.netgate.com/topic/167150/dns-redirect-on-pppoe-clients-failing:
"I have a pfSense server running sucessfully with approx 150 end user devices connecting via a dedicated interface on the pfSense configured for PPPoE. The PPPoE client IP address are issued to the end user devices from a radius server, all this which works fine and traffic is good. DNS servers are pushed to the end user devices via the radius server which again is all good.

However, I want to redirect all the PPPoE client DNS traffic to the pfSense server so that DNS requests are handled via the pfSense to help prevent end users circumventing our DNS servers.

I have followed the guide for this, setup DNS resolvers on the pfSense and applied this to the LAN interface (a seperate interface) and as expected this works a treat for the LAN users but I repeat this for the PPPoE interface and it doesn't seem to work for the PPPoE clients, it just ignores the NAT redirect rule and the traffic is sent to the DNS server that has been manually configured."

pfSense successfully creates redirect rules for interfaces, like:

# NAT Inbound Redirects
rdr on vtnet0 inet proto { tcp udp } from any to !192.168.3.4 port 53 -> 192.168.3.4
# Reflection redirect
rdr on {  openvpn WireGuard } inet proto { tcp udp } from any to !192.168.3.4 port 53 -> 192.168.3.4
...
pass  in  quick  on $LAN inet proto { tcp udp }  from any to 192.168.3.4 port 53 tracker 1634138298 keep state  label "USER_RULE: NAT " 

but doesn't create rdr rules for PPPoE Server or OpenVPN groups:

pass  in  quick  on $OpenVPN inet proto { tcp udp }  from any to 192.168.3.4 port 53 tracker 1634138263 keep state  label "USER_RULE: NAT " 
pass  in  quick  on $pppoe inet proto { tcp udp }  from any to 192.168.3.4 port 53 tracker 1634138088 keep state  label "USER_RULE: NAT " 

Actions #1

Updated by Marcos Mendoza 7 months ago

This should be tested on 22.01 snapshots as something changed to fix the missing nat rules (see #11481) which may affect this scenario as well.

Actions #2

Updated by Viktor Gurov 7 months ago

Marcos Mendoza wrote in #note-1:

This should be tested on 22.01 snapshots as something changed to fix the missing nat rules (see #11481) which may affect this scenario as well.

same issue on 2.6.0.a.20211020.0500
and it's not related to #11481

Actions #3

Updated by Viktor Gurov 6 months ago

pfSense doesn't create rdr rules for special interfaces (openvpn, pppoe, ipsec) if destination = any

add extra checks and input validation:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/460

Actions #4

Updated by Jim Pingle 6 months ago

  • Status changed from New to Pull Request Review
  • Assignee set to Viktor Gurov
  • Target version set to 2.6.0
  • Plus Target Version set to 22.01
Actions #5

Updated by Viktor Gurov 6 months ago

  • Status changed from Pull Request Review to Feedback
  • % Done changed from 0 to 100
Actions #6

Updated by Max Leighton 6 months ago

  • Status changed from Feedback to Resolved

Tested in

2.6.0-DEVELOPMENT (amd64)
built on Sat Nov 20 06:21:37 UTC 2021
FreeBSD 12.3-PRERELEASE

Input validation now prevents me from creating a port forward with destination ANY on OpenVPN or PPPoE interfaces when Pure NAT (or NAT+proxy) is selected on the rule or set as the system default.

Saving the rule will result in the message:

"The following input errors were detected:
The submitted interface does not support the 'Any' destination type with enabled NAT reflection."

Marking the ticket resolved.

Actions #7

Updated by Jim Pingle 5 months ago

  • Subject changed from Port Forward rules are not created for special nets (pppoe, openvpn) to Port forward rules are not created for special networks (pppoe, openvpn)

Updating subject for release notes.

Actions #9

Updated by Jim Pingle 5 months ago

  • Status changed from Resolved to Pull Request Review
Actions #10

Updated by Viktor Gurov 5 months ago

  • Status changed from Pull Request Review to Feedback
Actions #11

Updated by Alhusein Zawi 4 months ago

Input validation prevented me to create a port forward with destination ANY on all interfaces( WAN,LAN....) and all protocols(even ICMP) if I selected pure NAT or NAT+proxy

"The submitted interface does not support the 'Any' destination type with enabled NAT reflection"

2.6.0.b.20220107.0600

Actions #12

Updated by Viktor Gurov 4 months ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF