Bug #3331
closed
Rules to pass out traffic for Proxy ARP VIP entries have an incorrect destination
100%
Description
On 2.1 some rules are generated on an interface (e.g. WAN) to pass out traffic for Proxy ARP VIP addresses. These rules look like so:
pass out route-to ( em0 [gateway_ip] ) from [parp_vip] to ![parp_vip]/32 keep state allow-opts label "let out anything from firewall host itself"
However the destination for that rule should not be "![parp_vip]/32" but "![interface_subnet_id]/[interface_subnet_mask]"
For example:
pass out route-to ( em0 192.0.2.1 ) from 192.0.2.55 to !192.0.2.0/24 keep state allow-opts label "let out anything from firewall host itself"
As a consequence of this, traffic from a 1:1 NAT host using one of these VIPs is unable to reach items in the WAN subnet depending on how the gateway handles the packets, since the packets are directed at the gateway rather than sent directly. The case is less clear if the VIP lies outside of a subnet that exists on the firewall.
A similar issue is possible with IP Alias VIPs but with IP Alias VIPs the subnet mask on the VIP can be changed to match the interface, negating the issue.
As a temporary workaround, a floating rule can be added on WAN to pass quick out to the WAN subnet.
Updated by Renato Botelho over 10 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset d3b17c9a0b111ce20869f226322365324e0da4ce.
Updated by Renato Botelho over 10 years ago
Applied in changeset 82d1a33e4a0a9e1988277fcd4f9401355a9b4fee.
Updated by Chris Buechler about 10 years ago
- Status changed from Feedback to Resolved