Project

General

Profile

Actions

Bug #3331

closed

Rules to pass out traffic for Proxy ARP VIP entries have an incorrect destination

Added by Jim Pingle about 11 years ago. Updated over 10 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
Start date:
11/19/2013
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.1
Affected Architecture:

Description

On 2.1 some rules are generated on an interface (e.g. WAN) to pass out traffic for Proxy ARP VIP addresses. These rules look like so:

pass out route-to ( em0 [gateway_ip] ) from [parp_vip] to ![parp_vip]/32 keep state allow-opts label "let out anything from firewall host itself" 

However the destination for that rule should not be "![parp_vip]/32" but "![interface_subnet_id]/[interface_subnet_mask]"

For example:

pass out route-to ( em0 192.0.2.1 ) from 192.0.2.55 to !192.0.2.0/24 keep state allow-opts label "let out anything from firewall host itself" 

As a consequence of this, traffic from a 1:1 NAT host using one of these VIPs is unable to reach items in the WAN subnet depending on how the gateway handles the packets, since the packets are directed at the gateway rather than sent directly. The case is less clear if the VIP lies outside of a subnet that exists on the firewall.

A similar issue is possible with IP Alias VIPs but with IP Alias VIPs the subnet mask on the VIP can be changed to match the interface, negating the issue.

As a temporary workaround, a floating rule can be added on WAN to pass quick out to the WAN subnet.

Actions

Also available in: Atom PDF