Project

General

Profile

Actions

Bug #12452

open

Port Forward rules are not created for special nets (pppoe, openvpn)

Added by Viktor Gurov 12 days ago. Updated 5 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.5.2
Affected Architecture:

Description

https://forum.netgate.com/topic/167150/dns-redirect-on-pppoe-clients-failing:
"I have a pfSense server running sucessfully with approx 150 end user devices connecting via a dedicated interface on the pfSense configured for PPPoE. The PPPoE client IP address are issued to the end user devices from a radius server, all this which works fine and traffic is good. DNS servers are pushed to the end user devices via the radius server which again is all good.

However, I want to redirect all the PPPoE client DNS traffic to the pfSense server so that DNS requests are handled via the pfSense to help prevent end users circumventing our DNS servers.

I have followed the guide for this, setup DNS resolvers on the pfSense and applied this to the LAN interface (a seperate interface) and as expected this works a treat for the LAN users but I repeat this for the PPPoE interface and it doesn't seem to work for the PPPoE clients, it just ignores the NAT redirect rule and the traffic is sent to the DNS server that has been manually configured."

pfSense successfully creates redirect rules for interfaces, like:

# NAT Inbound Redirects
rdr on vtnet0 inet proto { tcp udp } from any to !192.168.3.4 port 53 -> 192.168.3.4
# Reflection redirect
rdr on {  openvpn WireGuard } inet proto { tcp udp } from any to !192.168.3.4 port 53 -> 192.168.3.4
...
pass  in  quick  on $LAN inet proto { tcp udp }  from any to 192.168.3.4 port 53 tracker 1634138298 keep state  label "USER_RULE: NAT " 

but doesn't create rdr rules for PPPoE Server or OpenVPN groups:

pass  in  quick  on $OpenVPN inet proto { tcp udp }  from any to 192.168.3.4 port 53 tracker 1634138263 keep state  label "USER_RULE: NAT " 
pass  in  quick  on $pppoe inet proto { tcp udp }  from any to 192.168.3.4 port 53 tracker 1634138088 keep state  label "USER_RULE: NAT " 

Actions #1

Updated by Marcos Mendoza 7 days ago

This should be tested on 22.01 snapshots as something changed to fix the missing nat rules (see #11481) which may affect this scenario as well.

Actions #2

Updated by Viktor Gurov 5 days ago

Marcos Mendoza wrote in #note-1:

This should be tested on 22.01 snapshots as something changed to fix the missing nat rules (see #11481) which may affect this scenario as well.

same issue on 2.6.0.a.20211020.0500
and it's not related to #11481

Actions

Also available in: Atom PDF