Bug #3528
closedInternally generated automatic outbound NAT rules not the same as those generated when Manual is clicked
100%
Description
Ref forum: https://forum.pfsense.org/index.php?topic=73727.0
The 2.1.1 code in /etc/inc/filter.inc filter_nat_rules_generate has code to not generate NAT rules to any "ovpn" interface:
Line 1679 (as at time of posting):
foreach ($FilterIflist as $if => $ifcfg) {
if (substr($ifcfg['if'], 0, 4) == "ovpn")
continue;
...
But /usr/local/www/firewall_nat_out.php at line 83 'case "advancedoutboundnat":' does its own code to generate a first set of manual rules when the user changes from Automatic to Manual and presses Save. This code has nothing special to exclude "ovpn" and so it generates NAT rules to NAT out of any interface that has a gateway.
See Bug #1216 for where this exclusion of NAT out on OpenVPN was introduced.
The master (2.2) code has re-engineered this stuff. It looks like it excludes "ovpn" when generating the first set of manual rules, and also when making automatic NAT rules at run-time in filter.inc - at least the behavior is consistent.
The behavior should be made consistent in 2.1.1 - but actually it seems reasonable to me that an OpenVPN that has been assigned to its own interface and has a gateway set should have automatic NAT done on the way out, it is likely to be a genuine way out to the internet?
Anyway, I think I have given enough info here. It needs a design decision as to which way to go to make it consistent.
Updated by Renato Botelho almost 11 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset e538fc18448bc2444ea3dce995aa90b717459043.
Updated by Renato Botelho over 10 years ago
- Status changed from Feedback to Resolved