Bug #3198
closed
IPSEC, when nating to a different size subnet a invalid natting rule is made.
100%
Description
IPSEC, when nating to a different size subnet a invalid natting rule is made.
Reproducable with these phase2 settings:
Local: 192.168.1.0/24
NAT/BINAT: 172.16.44.0/28
Remote: 20.0.0.0/24
[ There were error(s) loading the rules: /tmp/rules.debug:66: binat source mask and redirect mask must be the same - The line in question reads [66]: binat on enc0 from 192.168.1.0/24 to 20.0.0.0/24 -> 172.16.44.0/28]
Also a localnet of 0.0.0.0 and natting that to a subnet generates no rule at all..
Also disabled ipsec rules still generate nat rules..
This can be fixed by: https://github.com/pfsense/pfsense/pull/784
Updated by Josep Pujadas-Jubany over 10 years ago
I confirm this bug for 2.1.4
https://forum.pfsense.org/index.php?topic=78637 (in Spanish)
Difficult to understand how to apply the patch explained at https://github.com/pfsense/pfsense/pull/784
Updated by Christian Renault over 10 years ago
I have this bug on 2.1.4 and after applying the patch described in https://github.com/pfsense/pfsense/pull/784, I have a segmentation fault on the firewall at boot time.
Updated by Christian Renault over 10 years ago
Forgot to add that the VPNs work after the patch, binat is perfect, but my firewall is useless.
Updated by Ermal Luçi about 10 years ago
- Status changed from New to Feedback
This should be fixed on 2.2
Updated by Chris Buechler about 10 years ago
- Status changed from Feedback to New
- Target version set to 2.2
this is still an issue. That pull request was not the answer though.
It should suffice (for 2.2) to add input validation on vpn_ipsec_phase2.php to require using matching subnet sizes where you're using "network" for NAT/BINAT. Either your subnet size has to match (binat), or you need to NAT to a single IP.
Or - allow mismatched subnet sizes, but skip the binat in that circumstance (then people can still manually configure their NAT via outbound NAT).
Updated by Chris Buechler about 10 years ago
- Status changed from New to Confirmed
Updated by Ermal Luçi about 10 years ago
- Status changed from Confirmed to Feedback
Updated by Ermal Luçi about 10 years ago
- % Done changed from 90 to 100
Applied in changeset a8a642c5c8eff62f7beb228b165b9e1e38e3a7c2.
Updated by Chris Buechler almost 10 years ago
- Status changed from Feedback to Resolved
fixed. users will need to manually configure outbound NAT as desired in this circumstance.