Project

General

Profile

Bug #3198

IPSEC, when nating to a different size subnet a invalid natting rule is made.

Added by Pi Ba almost 5 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
Start date:
09/14/2013
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.1
Affected Architecture:
All

Description

IPSEC, when nating to a different size subnet a invalid natting rule is made.

Reproducable with these phase2 settings:
Local: 192.168.1.0/24
NAT/BINAT: 172.16.44.0/28
Remote: 20.0.0.0/24

[ There were error(s) loading the rules: /tmp/rules.debug:66: binat source mask and redirect mask must be the same - The line in question reads [66]: binat on enc0 from 192.168.1.0/24 to 20.0.0.0/24 -> 172.16.44.0/28]

Also a localnet of 0.0.0.0 and natting that to a subnet generates no rule at all..
Also disabled ipsec rules still generate nat rules..

This can be fixed by: https://github.com/pfsense/pfsense/pull/784

Associated revisions

Revision a8a642c5 (diff)
Added by Ermal Luçi over 3 years ago

Fixes #3198, check that subnet masks are equal when choosing binat type for IPSec to avoid errors on ruleset.

History

#1 Updated by Josep Pujadas about 4 years ago

I confirm this bug for 2.1.4

https://forum.pfsense.org/index.php?topic=78637 (in Spanish)

Difficult to understand how to apply the patch explained at https://github.com/pfsense/pfsense/pull/784

#2 Updated by Christian Renault about 4 years ago

I have this bug on 2.1.4 and after applying the patch described in https://github.com/pfsense/pfsense/pull/784, I have a segmentation fault on the firewall at boot time.

#3 Updated by Christian Renault about 4 years ago

Forgot to add that the VPNs work after the patch, binat is perfect, but my firewall is useless.

#4 Updated by Ermal Luçi almost 4 years ago

  • Status changed from New to Feedback

This should be fixed on 2.2

#5 Updated by Chris Buechler almost 4 years ago

  • Status changed from Feedback to New
  • Target version set to 2.2

this is still an issue. That pull request was not the answer though.

It should suffice (for 2.2) to add input validation on vpn_ipsec_phase2.php to require using matching subnet sizes where you're using "network" for NAT/BINAT. Either your subnet size has to match (binat), or you need to NAT to a single IP.

Or - allow mismatched subnet sizes, but skip the binat in that circumstance (then people can still manually configure their NAT via outbound NAT).

#6 Updated by Chris Buechler almost 4 years ago

  • Status changed from New to Confirmed
  • Affected Documentation 0 added

#7 Updated by Ermal Luçi over 3 years ago

  • Status changed from Confirmed to Feedback

#8 Updated by Ermal Luçi over 3 years ago

  • % Done changed from 90 to 100

#9 Updated by Chris Buechler over 3 years ago

  • Status changed from Feedback to Resolved

fixed. users will need to manually configure outbound NAT as desired in this circumstance.

Also available in: Atom PDF