Actions
Bug #4772
closed
L2TP + "Enable automatic outbound NAT for Reflection" + L2TP subnet overlapping + Port forwards can lead to a broken ruleset
Start date:
06/17/2015
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.2.x
Affected Architecture:
All
Description
If the L2TP subnet overlaps a subnet that contains a port forward target, and automatic outbound NAT for reflection is enabled, then an invalid ruleset can be generated:
From "pfctl -f /tmp/rules.debug":
no IP address found for l2tp /tmp/rules.debug:129: could not parse host specification no IP address found for l2tp /tmp/rules.debug:137: could not parse host specification
From "grep -ni l2tp /tmp/rules.debug" (relevant lines only):
129:no nat on l2tp proto tcp from l2tp to $somewhere port $blah 137:no nat on l2tp proto tcp from l2tp to $somewhere port $blah2
In this context "l2tp" is not valid as a "from" specification.
Updated by 
Updated by
Actions