Bug #3271
closed
NAT UDP to port range creates rdr for all interfaces, and no nat rule.
Added by Harry Coin over 10 years ago.
Updated over 10 years ago.
Description
The nat rule asking for a port forward on one interface (em0/WAN):
INET1MC UDP * * 97.64.213.58 15000 - 15400 192.168.50.78 15000 - 15400
The above set to "pure NAT"
Generated these rules:
rdr on em1 inet proto udp from any to 97.64.213.58 port 15000:15400 -> 192.168.50.78
rdr on em0 inet proto udp from any to 97.64.213.58 port 15000:15400 -> 192.168.50.78
rdr on re2 inet proto udp from any to 97.64.213.58 port 15000:15400 -> 192.168.50.78
rdr on re0 inet proto udp from any to 97.64.213.58 port 15000:15400 -> 192.168.50.78
and no nat rule line.
The effect is packets accepted on the WAN interface, written properly, logged as 'passed' by the filter, then NOT sent out the LAN port (192.169.50.0/24) but just dropped.
Details with packet examples here:
http://forum.pfsense.org/index.php/topic,68125.0.html
2.1-RELEASE (amd64)
built on Wed Sep 11 18:17:37 EDT 2013
FreeBSD 8.3-RELEASE-p11
The same happens when an individual udp port is specified and not a range. rdr rules are created for every interface, not just the requested one.
Looking into it further, I notice that the interface specified on the 'port forward' gui is pretty much ignored. There appears to be an rdr rule entered for every physical or vpn interface (both lan, wan, sync, whatever is plugged in) for each port-forward rule, as if the same port forward rule was entered for each interface hosted on the box.
- Status changed from New to Rejected
that's because you have reflection on, that's how reflection works.
And, looking it to it even further, even though 'pure nat' was asked for, rules.debug shows:
- NAT Inbound Redirects
rdr on em1 proto udp from any to 192.168.50.1 port 15000:15450 -> 192.168.50.78
- Reflection redirect
rdr on { em0 re2 re0 openvpn } proto udp from any to 192.168.50.1 port 15000:15450 -> 192.168.50.78
(em1->'wan', em0->'lan', the rest are either pfsync and disused/idle.
I think it is an artifact of the 'pure nat' vs. proxy. the 'PREFLECT' thing does not appear on the 'pure nat' but does (properly) on the nat+proxy. On pure nat there should be no rules affecting other than the specified interface.
Chris, check again. When 'pure nat' is specified nevertheless the rdr rule is emitted on the other interfaces.
Upon examination, I see that on the nat reflection 'disable' doesn't emit the rdr on the other interfaces, while 'pure nat' does. While 'pure nat + proxy' adds the PRREFLECT. Maybe if the language of the options was changed others wouldn't hit the same confusion I did. How about:
Nat Reflection: Use System Default, Enable Reflection with proxy on all other interfaces, Enable Reflection without proxy on all other interfaces, Only forward the specified interface.
Also available in: Atom
PDF
Updated by 
Updated by