pfSense

NAT reflection can generate multiple identical rules if the configuration contains multiple VIPs in the same subnet.

Example Setup:

• Port forward on WAN to a host on LAN
• LAN has three VIPs (An IP alias, a CARP, and an Alias on CARP) inside the LAN subnet
• NAT reflection enabled in pure NAT mode

The ruleset ends up with multiple copies of the same reflection rule:

rdr on vtnet0 inet proto tcp from any to 198.51.100.6 port 222 -> 10.6.0.10 port 22
# Reflection redirect
rdr on { vtnet1  enc0 openvpn SomeWANs } inet proto tcp from any to 198.51.100.6 port 222 -> 10.6.0.10 port 22
nat on vtnet1 proto tcp from 10.6.0.0/24 to 10.6.0.10 port 22 -> 10.6.0.1 port 1024:65535
nat on vtnet1 proto tcp from 10.6.0.0/24 to 10.6.0.10 port 22 -> 10.6.0.1 port 1024:65535
nat on vtnet1 proto tcp from 10.6.0.0/24 to 10.6.0.10 port 22 -> 10.6.0.1 port 1024:65535

Looks like there are multiple entries for the same network coming back from filter_get_direct_networks_list(false); one for each VIP and the next loop in the reflection code isn't accounting for that situation.

At the very least it should keep a record of which combinations it's already added rules for and skipping those, or checking for and skipping if the rule it generates is identical to one already in the list.