Feature #2416
closed
Hybrid NAT mode that is a mix of Auto+Manual
Added by Jim Pingle over 12 years ago.
Updated almost 11 years ago.
Description
Often we suggest people switch to manual outbound NAT to make some very basic adjustments (such as a static port for 5060 from a PBX for certain SIP trunks) but it seems like overkill to make them discard all of the other benefits of Automatic Outbound NAT for small changes.
It would be nice to have a NAT mode that would respect the custom rules first, and then have the auto rules (which should be shown in the GUI while in auto mode) respected after the custom rules.
So the NAT choices could be:
- Fully Automatic Outbound NAT - No change from current behavior - Rules are ignored.
- Hybrid Outbound NAT - Rules are honored, auto rules after.
- Fully Manual NAT - No change from current behavior - Only custom rules are honored, no auto rules.
This way, if a user needs a simple adjustment (static port, or a no-nat rule, etc) they can benefit from aspects of both methods.
While we're doing this, may as well add a fourth outbound NAT option
- Off (all outbound NAT disabled)
Then someone doesn't need to do the two-step swith-to-manual/delete-all-rules in order to disable outbound NAT.
- Status changed from New to Feedback
- % Done changed from 0 to 100
- Status changed from Feedback to New
Still have some changes to push, keep it as new for now
This is a great thing. I have places where I used Manual for a small reason. Then I add another LAN at that site and forget to add it to the manual rules! Hybrid is just what many people will find useful.
I don't know what the policy is about new/changed features in 2.1.n, as distinct from strictly bugfixes - but I would certainly find it useful to have this in a release that comes out in the near future, e.g. being back-ported into 2.1.n so it comes in 2.1.1.
- Status changed from New to Feedback
Phillip Davis wrote:
This is a great thing. I have places where I used Manual for a small reason. Then I add another LAN at that site and forget to add it to the manual rules! Hybrid is just what many people will find useful.
I don't know what the policy is about new/changed features in 2.1.n, as distinct from strictly bugfixes - but I would certainly find it useful to have this in a release that comes out in the near future, e.g. being back-ported into 2.1.n so it comes in 2.1.1.
It's such a big change for a minor release, what is expected to have only bug and security fixes
- Status changed from Feedback to New
Found a few issues with it after trying to break it a few ways:
- If there is no "mode" tag, there will be no backend rules. Default of automatic should be assumed. Or maybe it needs config upgrade code to fixup the settings from the old setting format to the new.
- 0.0.0.0 shows in the list of NAT networks in auto and hybrid mode, but it's not in the tonatsubnets table and it is not there when the rules are made during the switch to manual
- udp/500 rule is only created for the first subnet, not all, during the auto->manual transition
- Adding rule to the "bottom" doesn't go under the auto rules. That is OK, but the buttons may need moved/adjusted to account for this.
- In Hybrid mode, if you have ONE rule at the top it works OK - try to move this single the rule to the "bottom" under the auto rules and you receive an error: "Fatal error: Cannot use string offset as an array in /usr/local/www/firewall_nat_out.php on line 452" -- If you have multiple rules in the list, it reorders them without error.
- If you switch from Hybrid to manual it would be nice to keep the rules and still create the set from automatic.
It's such a big change for a minor release, what is expected to have only bug and security fixes
Yes, looking at the changes being committed just now, it would be quite a pain to find all the right bits and apply to 2.1.n - just have to wait for 2.2 to get a formal release of this.
- Status changed from New to Feedback
- Status changed from Feedback to New
- % Done changed from 100 to 90
It looks like this is all OK now - but 0.0.0.0/0 is still there. Is that needed? Intentional?
On 2.1 it appears to use "0.0.0.0" not "0.0.0.0/0" so perhaps "0.0.0.0/32" is more appropriate, as 0.0.0.0/0 may match any/all traffic.
- Status changed from New to Feedback
- % Done changed from 90 to 100
- Status changed from Feedback to Resolved
This all appears to work as expected now.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by