Feature #2416
closedHybrid NAT mode that is a mix of Auto+Manual
100%
Description
Often we suggest people switch to manual outbound NAT to make some very basic adjustments (such as a static port for 5060 from a PBX for certain SIP trunks) but it seems like overkill to make them discard all of the other benefits of Automatic Outbound NAT for small changes.
It would be nice to have a NAT mode that would respect the custom rules first, and then have the auto rules (which should be shown in the GUI while in auto mode) respected after the custom rules.
So the NAT choices could be:- Fully Automatic Outbound NAT - No change from current behavior - Rules are ignored.
- Hybrid Outbound NAT - Rules are honored, auto rules after.
- Fully Manual NAT - No change from current behavior - Only custom rules are honored, no auto rules.
This way, if a user needs a simple adjustment (static port, or a no-nat rule, etc) they can benefit from aspects of both methods.
Updated by Jim Pingle over 12 years ago
- Off (all outbound NAT disabled)
Then someone doesn't need to do the two-step swith-to-manual/delete-all-rules in order to disable outbound NAT.
Updated by Renato Botelho about 11 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset eef01b14df77186f9c1205e9e5cb83f80407d7fd.
Updated by Renato Botelho about 11 years ago
- Status changed from Feedback to New
Still have some changes to push, keep it as new for now
Updated by Phillip Davis about 11 years ago
This is a great thing. I have places where I used Manual for a small reason. Then I add another LAN at that site and forget to add it to the manual rules! Hybrid is just what many people will find useful.
I don't know what the policy is about new/changed features in 2.1.n, as distinct from strictly bugfixes - but I would certainly find it useful to have this in a release that comes out in the near future, e.g. being back-ported into 2.1.n so it comes in 2.1.1.
Updated by Renato Botelho about 11 years ago
- Status changed from New to Feedback
Applied in changeset bef388a70dffca0074d82cbd0f709c04c726248f.
Updated by Renato Botelho about 11 years ago
Phillip Davis wrote:
This is a great thing. I have places where I used Manual for a small reason. Then I add another LAN at that site and forget to add it to the manual rules! Hybrid is just what many people will find useful.
I don't know what the policy is about new/changed features in 2.1.n, as distinct from strictly bugfixes - but I would certainly find it useful to have this in a release that comes out in the near future, e.g. being back-ported into 2.1.n so it comes in 2.1.1.
It's such a big change for a minor release, what is expected to have only bug and security fixes
Updated by Jim Pingle about 11 years ago
- Status changed from Feedback to New
Found a few issues with it after trying to break it a few ways:
- If there is no "mode" tag, there will be no backend rules. Default of automatic should be assumed. Or maybe it needs config upgrade code to fixup the settings from the old setting format to the new.
- 0.0.0.0 shows in the list of NAT networks in auto and hybrid mode, but it's not in the tonatsubnets table and it is not there when the rules are made during the switch to manual
- udp/500 rule is only created for the first subnet, not all, during the auto->manual transition
- Adding rule to the "bottom" doesn't go under the auto rules. That is OK, but the buttons may need moved/adjusted to account for this.
- In Hybrid mode, if you have ONE rule at the top it works OK - try to move this single the rule to the "bottom" under the auto rules and you receive an error: "Fatal error: Cannot use string offset as an array in /usr/local/www/firewall_nat_out.php on line 452" -- If you have multiple rules in the list, it reorders them without error.
- If you switch from Hybrid to manual it would be nice to keep the rules and still create the set from automatic.
Updated by Phillip Davis about 11 years ago
It's such a big change for a minor release, what is expected to have only bug and security fixes
Yes, looking at the changes being committed just now, it would be quite a pain to find all the right bits and apply to 2.1.n - just have to wait for 2.2 to get a formal release of this.
Updated by Renato Botelho about 11 years ago
- Status changed from New to Feedback
Applied in changeset 858211ddde3b2a5eff0de609bf47070c4a7a776f.
Updated by Jim Pingle almost 11 years ago
- Status changed from Feedback to New
- % Done changed from 100 to 90
It looks like this is all OK now - but 0.0.0.0/0 is still there. Is that needed? Intentional?
On 2.1 it appears to use "0.0.0.0" not "0.0.0.0/0" so perhaps "0.0.0.0/32" is more appropriate, as 0.0.0.0/0 may match any/all traffic.
Updated by Renato Botelho almost 11 years ago
- Status changed from New to Feedback
- % Done changed from 90 to 100
Applied in changeset d11134243489f7cea17cdc4c04a0624b0c16ed18.
Updated by Jim Pingle almost 11 years ago
- Status changed from Feedback to Resolved
This all appears to work as expected now.