Bug #15349
closed
1:1 NAT rule for subnet always uses full subnet range
0%
Description
Creating a 1:1 NAT rule for something like 10.0.0.5/28 -> 10.1.0.7/28 will actually create the proper rules for the entire /24 subnet.
Output from pfctl -s nat:
[2.7.2-RELEASE][admin@pfSense.home.arpa]/root: pfctl -s nat | grep 10.0 binat on vtnet0 inet from 10.1.0.0/28 to any -> 10.0.0.0/28
This is probably the correct behavior, but may not be what people expect and does not appear to be documented.
It would probably make sense for the web interface to reject this kind of rule and require the subnet be specified properly by the first IP in the range.
Updated by Jim Pingle 8 months ago
- Status changed from New to Not a Bug
The "/24" in your text appears to be a typo or confusion on your part. The rules it forms use the whole /28 which is exactly as expected, it just happens that in your example the /28 and /24 start at the same address. Try something higher like 10.0.0.130/28 for example.
That's how subnet math works everywhere. Either we reject any input except the network address or it gets adjusted automatically by pf. The current method is more user-friendly and it's doing exactly what it was told to do.