Bug #12798
closed
Web UI allows IP Aliases and 1:1 NAT to share IP on same interface - ends in routing issues
0%
Description
I've found an issue where if you configure an IP Alias and use that same external IP for a static (1:1) NAT then issues with routing occur where all gateways become unavailable. A genericised example below based upon my config:
Interface: WAN
WAN IP: 1.2.3.4/32
WAN GW: 5.6.7.8 (non-local gateway)
Alias: 1.2.3.5/32
And a 1:1 NAT for 1.2.3.5/32 to host 10.1.2.3/32.
The symptoms are a loss of connectivity via a gateway after a while (it's not instant) whether gateway monitoring is enabled or not. Connectivity is instantly restored by deleting the IP aliases.
Updated by Paul Parkin over 3 years ago
This is also an issue in 2.5.2, but I hadn't figured out what caused the issue until today having upgraded to 2.6/22.01.
Updated by Jim Pingle over 3 years ago
- Status changed from New to Not a Bug
I have a few systems here with that kind of configuration and none have the problems you describe, and that is a very common use case of VIPs and 1:1 NAT. You might be hitting some variation of #11545 but there isn't enough information here to tell, and it's not something we can reproduce.
This site is not for support or diagnostic discussion.
For assistance in solving problems, please post on the Netgate Forum or the pfSense Subreddit .
See Reporting Issues with pfSense Software for more information.
Updated by Paul Parkin over 3 years ago
This isn't a request for support... I've already specified what the symptoms are, the cause and how to fix it. :)
I am able to replicate this and send somebody at Netgate the XML config from the firewall that will break the installation 100% of the time when applied though restore.
Updated by Jim Pingle over 3 years ago
It's possible it's specifically related to your use of a non-local gateway (which is not a typical use case) and not a general NAT+IP Alias issue. If that is the case, the title and description are wrong.
There is NOT enough information here -- please start a forum thread and supply, at a minimum, the contents of the routing table (netstat -rn) and the interface configuration (ifconfig -a) both when it's working and when it is not working. There is a lot more to discuss and diagnose here, the problem report is far from complete and this is not the place to figure out the details.