Bug #4765
closed
NAT Reflection (Pure NAT) rules not setup for traffic originating from same subnet as final destination
0%
Description
On "System: Advanced: Firewall and NAT", in the "Network Address Translation" section, the checkbox labeled "Automatically create outbound NAT rules which assist inbound NAT rules that direct traffic back out to the same subnet it originated from." is not working. pfSense is not adding in the necessary "nat-to" rule, like what is instructed here: http://www.openbsd.org/faq/pf/rdr.html#reflect .
I have looked at the output of pfctl -s nat to confirm that pfSense essentially just copies the WAN's rule over to my other interfaces. I have tried both enabling Pure NAT at a NAT rule, and also globally (up above the checkbox mentioned in the above paragraph). Both yield identical results from pfctl. No "rdr ... nat-to" rule shows up to fix the source address+port, so same-subnet NAT reflection doesn't work. NAT'ing across subnets works fine, though.
I have also searched "/etc/inc/filter.inc" in pfSense, and I cannot find any code that would appear to implement such functionality. I found the spot that creates the rules that pfSense generates now, however: lines 2099 through 2104. There's nothing in there to create the necessary rule to fully implement the functionality promised by the previously-mentioned checkbox. (Personally, I'm not sure why one would have a checkbox for such functionality; it seems like you don't have complete NAT Reflection without it working from the same subnet.)
If more details are desired, I have more from when I tried my luck in the forums: https://forum.pfsense.org/index.php?topic=94881.0 Unfortunately, no one there knows enough to help.
Updated by Chris Buechler almost 10 years ago
- Status changed from New to Not a Bug
- Affected Version deleted (
2.2.2)
replied back in your forum thread, you're looking for something that won't exist, but where the "Enable automatic outbound NAT for Reflection" box is checked you'll get "nat on ..." to accommodate that.
Updated by Granger Godbold almost 10 years ago
I don't understand the meaning of "looking for something that won't exist" considering that the rest of your comment indicates that it should.
You appear to be responding entirely from memory, because the "Enable automatic outbound NAT for Reflection" is the exact checkbox I referenced. The text you quoted labels the section, and the text I quoted is the label on the checkbox itself; we're talking about the same exact checkbox.
I've already done the leg-work to show that the checkbox does not perform the operation that it says it performs. Is there another spot in the code besides "filter.inc" that generates rules for "pf" ( https://doc.pfsense.org/index.php/How_can_I_edit_the_PF_ruleset )? Or, is it by-design that pfSense does not support full NAT Reflection (even though "pf" does)?
Either pfSense needs to have a bug fixed, or the checkbox needs to be removed so the current behavior can be considered as "not a bug".
Updated by Chris Buechler almost 10 years ago
it works fine. keep the discussion of support issues on the forum please. I replied back there again.
Updated by Charles Ross about 5 years ago
I know this is an old issue, but I am hitting the same problem as the OP here.
I followed up on the thread as well... but if anyone would like to work with me to try to identify the source of this issue, I would be happy to try and help.
My findings (why I think this is actually a bug, etc..) is here:
https://docs.google.com/document/d/1DCtqI2q3RlaK6HkTgp_xFw6poxWg6wiJlzw0V7lDtGU/edit?usp=sharing