Project

General

Profile

Actions

Bug #3528

closed

Internally generated automatic outbound NAT rules not the same as those generated when Manual is clicked

Added by Phillip Davis over 10 years ago. Updated over 10 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
Start date:
03/18/2014
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.1
Affected Architecture:

Description

Ref forum: https://forum.pfsense.org/index.php?topic=73727.0
The 2.1.1 code in /etc/inc/filter.inc filter_nat_rules_generate has code to not generate NAT rules to any "ovpn" interface:
Line 1679 (as at time of posting):
foreach ($FilterIflist as $if => $ifcfg) {
if (substr($ifcfg['if'], 0, 4) == "ovpn")
continue;
...

But /usr/local/www/firewall_nat_out.php at line 83 'case "advancedoutboundnat":' does its own code to generate a first set of manual rules when the user changes from Automatic to Manual and presses Save. This code has nothing special to exclude "ovpn" and so it generates NAT rules to NAT out of any interface that has a gateway.

See Bug #1216 for where this exclusion of NAT out on OpenVPN was introduced.

The master (2.2) code has re-engineered this stuff. It looks like it excludes "ovpn" when generating the first set of manual rules, and also when making automatic NAT rules at run-time in filter.inc - at least the behavior is consistent.

The behavior should be made consistent in 2.1.1 - but actually it seems reasonable to me that an OpenVPN that has been assigned to its own interface and has a gateway set should have automatic NAT done on the way out, it is likely to be a genuine way out to the internet?

Anyway, I think I have given enough info here. It needs a design decision as to which way to go to make it consistent.

Actions

Also available in: Atom PDF