Bug #3198: IPSEC, when nating to a different size subnet a invalid natting rule is made. - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Plus - All Open Issues
23.09.1 Target - All Closed Issues
23.09.1 Target - All Open Issues
24.03 Plus - All Closed Issues
24.03 Plus - All Open Issues
24.03 Plus - Feedback Issues
24.03 Plus - Needs Attention/Work
24.03 Plus - New/Confirmed/In Progress Issues
24.03 Plus - Pull Request Review
24.03 Plus - Waiting on Merge
24.03 Target - All Closed Issues
24.03 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Bug #3198

closed

IPSEC, when nating to a different size subnet a invalid natting rule is made.

Added by Pi Ba over 10 years ago. Updated over 9 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Category:

IPsec

Target version:

2.2

Start date:

09/14/2013

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

2.1

Affected Architecture:

All

Description

IPSEC, when nating to a different size subnet a invalid natting rule is made.

Reproducable with these phase2 settings:
Local: 192.168.1.0/24
NAT/BINAT: 172.16.44.0/28
Remote: 20.0.0.0/24

[ There were error(s) loading the rules: /tmp/rules.debug:66: binat source mask and redirect mask must be the same - The line in question reads [66]: binat on enc0 from 192.168.1.0/24 to 20.0.0.0/24 -> 172.16.44.0/28]

Also a localnet of 0.0.0.0 and natting that to a subnet generates no rule at all..
Also disabled ipsec rules still generate nat rules..

This can be fixed by: https://github.com/pfsense/pfsense/pull/784

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Josep Pujadas-Jubany almost 10 years ago

I confirm this bug for 2.1.4

https://forum.pfsense.org/index.php?topic=78637 (in Spanish)

Difficult to understand how to apply the patch explained at https://github.com/pfsense/pfsense/pull/784

Actions

Copy link

Updated by Christian Renault over 9 years ago

I have this bug on 2.1.4 and after applying the patch described in https://github.com/pfsense/pfsense/pull/784, I have a segmentation fault on the firewall at boot time.

Actions

Copy link

Updated by Christian Renault over 9 years ago

Forgot to add that the VPNs work after the patch, binat is perfect, but my firewall is useless.

Actions

Copy link

Updated by Ermal Luçi over 9 years ago

Status changed from New to Feedback

This should be fixed on 2.2

Actions

Copy link

Updated by Chris Buechler over 9 years ago

Status changed from Feedback to New
Target version set to 2.2

this is still an issue. That pull request was not the answer though.

It should suffice (for 2.2) to add input validation on vpn_ipsec_phase2.php to require using matching subnet sizes where you're using "network" for NAT/BINAT. Either your subnet size has to match (binat), or you need to NAT to a single IP.

Or - allow mismatched subnet sizes, but skip the binat in that circumstance (then people can still manually configure their NAT via outbound NAT).

Actions

Copy link