Bug #3331
closedRules to pass out traffic for Proxy ARP VIP entries have an incorrect destination
100%
Description
On 2.1 some rules are generated on an interface (e.g. WAN) to pass out traffic for Proxy ARP VIP addresses. These rules look like so:
pass out route-to ( em0 [gateway_ip] ) from [parp_vip] to ![parp_vip]/32 keep state allow-opts label "let out anything from firewall host itself"
However the destination for that rule should not be "![parp_vip]/32" but "![interface_subnet_id]/[interface_subnet_mask]"
For example:
pass out route-to ( em0 192.0.2.1 ) from 192.0.2.55 to !192.0.2.0/24 keep state allow-opts label "let out anything from firewall host itself"
As a consequence of this, traffic from a 1:1 NAT host using one of these VIPs is unable to reach items in the WAN subnet depending on how the gateway handles the packets, since the packets are directed at the gateway rather than sent directly. The case is less clear if the VIP lies outside of a subnet that exists on the firewall.
A similar issue is possible with IP Alias VIPs but with IP Alias VIPs the subnet mask on the VIP can be changed to match the interface, negating the issue.
As a temporary workaround, a floating rule can be added on WAN to pass quick out to the WAN subnet.