Project

General

Profile

Actions
Copy link

Regression #15024

closed

Invalid outbound NAT rules break the following rule

Added by Steve Wheeler 6 months ago. Updated 5 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Marcos M
Category:
Rules / NAT
Target version:
2.7.2
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.09.1
Release Notes:
Default
Affected Version:
2.7.1
Affected Architecture:
All

Description

Manual outbound NAT rules are commented out in the ruleset if they are invalid such as when he interface is disabled:

# Missing interface 'opt1' for rule 'Test'

However in 2.7.1 the following rule runs on immediately omitting it from the rules:

# Missing interface 'opt1' for rule 'Test'nat on $SWITCH inet proto tcp from $OPT3__NETWORK to any -> 192.168.70.1/32 port 443  # Test2

Actions
Copy link
 #1

Updated by Steve Wheeler 6 months ago

In my test case the rule is added twice:

# Outbound NAT rules (manual)
nat on $SWITCH inet from 172.21.16.0/24 to 192.168.1.0/24 -> 192.168.70.1/32 port 1024:65535  # Temp AP access
nat on $SWITCH inet from 172.21.16.0/24 to 10.232.209.0/24 -> 10.232.209.10/32 port 1024:65535  # Temp AP access
# Missing interface 'opt1' for rule 'Test'nat on $SWITCH inet proto tcp from $OPT3__NETWORK to any -> 192.168.70.1/32 port 443  # Test2
nat on $SWITCH inet6 proto tcp from $OPT3__NETWORK to any -> (igb3) port 443  # Test2

But is not for other reported cases:
https://forum.netgate.com/topic/184251/routing-interface-gateway-issues-after-updating-from-ce-2-7-2-71/

Actions
Copy link
 #2

Updated by Jim Pingle 6 months ago

  • Plus Target Version set to 24.03
Actions
Copy link
 #3

Updated by Marcos M 6 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions
Copy link
 #4

Updated by Steve Wheeler 6 months ago

Patch looks good:

# Outbound NAT rules (manual)
nat on $SWITCH inet from 172.21.16.0/24 to 192.168.1.0/24 -> 192.168.70.1/32 port 1024:65535  # Temp AP access
nat on $SWITCH inet from 172.21.16.0/24 to 10.232.209.0/24 -> 10.232.209.10/32 port 1024:65535  # Temp AP access
# Missing interface 'opt1' for rule 'Test'
nat on $SWITCH inet proto tcp from $OPT3__NETWORK to any -> 192.168.70.1/32 port 443  # Test2
nat on $SWITCH inet6 proto tcp from $OPT3__NETWORK to any -> (igb3) port 443  # Test2

Actions
Copy link
 #5

Updated by Marcos M 6 months ago

  • Assignee set to Marcos M
Actions
Copy link
 #6

Updated by Marcos M 6 months ago

  • Status changed from Feedback to Resolved
Actions
Copy link
 #7

Updated by Jim Pingle 5 months ago

  • Target version changed from 2.8.0 to 2.7.2
  • Plus Target Version changed from 24.03 to 23.09.1
Actions
Copy link

Also available in: Atom PDF