Bug #7004
closed
[2.3.3] NAT no longer respects interface selection
Added by Kill Bill about 9 years ago.
Updated about 9 years ago.
Affected Architecture:
All
Description
Dunno guys when this regressed, however NAT rules apply on ALL interfaces, no matter what you select. Say, you follow the howto here to redirect DNS on a WLAN to pfSense: https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense
The result being this:
rdr on ath0_wlan0 inet proto tcp from any to ! <DNS_Servers> port = domain -> 127.0.0.1
rdr on ath0_wlan0 inet proto udp from any to ! <DNS_Servers> port = domain -> 127.0.0.1
rdr on igb0 inet proto tcp from any to ! <DNS_Servers> port = domain -> 127.0.0.1
rdr on igb0 inet proto udp from any to ! <DNS_Servers> port = domain -> 127.0.0.1
rdr on igb2 inet proto tcp from any to ! <DNS_Servers> port = domain -> 127.0.0.1
rdr on igb2 inet proto udp from any to ! <DNS_Servers> port = domain -> 127.0.0.1
rdr on gif0 inet proto tcp from any to ! <DNS_Servers> port = domain -> 127.0.0.1
rdr on gif0 inet proto udp from any to ! <DNS_Servers> port = domain -> 127.0.0.1
rdr on enc0 inet proto tcp from any to ! <DNS_Servers> port = domain -> 127.0.0.1
rdr on enc0 inet proto udp from any to ! <DNS_Servers> port = domain -> 127.0.0.1
rdr on openvpn inet proto tcp from any to ! <DNS_Servers> port = domain -> 127.0.0.1
rdr on openvpn inet proto udp from any to ! <DNS_Servers> port = domain -> 127.0.0.1
$ cat /etc/version.{buildtime,lastcommit}
Fri Dec 09 09:47:40 CST 2016
803c97685fef85f35a6cf781143259458486c34a
Doing this from LAN machine (remember, the redirection is supposed to happen on WLAN):
# dig www.google.com @8.8.8.8
; <<>> DiG 9.9.8-P4 <<>> www.seznam.cz @8.8.8.8
;; global options: +cmd
;; connection timed out; no servers could be reached
After disabling the NAT rule on WLAN interface, DNS resolution to outside DNS servers immediately works:
# dig @8.8.8.8 www.google.com
; <<>> DiG 9.9.8-P4 <<>> @8.8.8.8 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20291
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.google.com. IN A
;; ANSWER SECTION:
www.google.com. 299 IN A 172.217.23.196
;; Query time: 23 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Dec 12 13:24:03 CET 2016
;; MSG SIZE rcvd: 59
- Category set to Rules / NAT
- Status changed from New to Feedback
- Priority changed from Urgent to Normal
I can't reproduce this on current snapshots with 2.3.3 or 2.4, can you show the XML for that rule in config.xml? And what shows up in /tmp/rules.debug? I've tried creating a new rule and editing an existing rule but they all show up as expected.
Is the output you show for the rules "pfctl -sn" or something else?
The rule from config.xml:
<rule>
<source>
<any></any>
</source>
<destination>
<address>DNS_Servers</address>
<not></not>
<port>53</port>
</destination>
<protocol>tcp/udp</protocol>
<target>127.0.0.1</target>
<local-port>53</local-port>
<interface>opt2</interface>
<descr><![CDATA[Redirect all other DNS]]></descr>
<associated-rule-id>nat_584dd154030707.21365541</associated-rule-id>
</rule>
Relevant stuff from /tmp/rules.debug:
# NAT Inbound Redirects
rdr on ath0_wlan0 proto { tcp udp } from any to ! $DNS_Servers port 53 -> 127.0.0.1
# Reflection redirect
rdr on { igb0 igb2 gif0 enc0 openvpn } proto { tcp udp } from any to ! $DNS_Servers port 53 -> 127.0.0.1
And yes, the output is from `pfctl -sn`
What options do you have configured for NAT Reflection under System > Advanced, Firewall & NAT?
- Status changed from Feedback to Not a Bug
- Assignee set to Jim Pingle
The extra interfaces are coming from NAT reflection and it doesn't appear to be a regression, but a quirk of having reflection on with that type of rule. It's doing exactly what it's told to do, but it's a bit confused because of the different syntax required for that redirect rule. The same behavior happens on 2.3.2, 2.3.3, and 2.4 with reflection and multiple local interfaces.
The best thing to do would be to set "NAT Reflection" = "Disable" in the settings for that NAT rule which will force it to the intended behavior. I'll update the wiki doc with that setting momentarily.
Well perhaps this should be left open till it's somehow fixed, sending packets coming from completely unrelated interfaces to a blackhole certainly is completely unexpected and not a feature.
Jim Pingle wrote:
The best thing to do would be to set "NAT Reflection" = "Disable" in the settings for that NAT rule which will force it to the intended behavior. I'll update the wiki doc with that setting momentarily.
Thanks, this works.
There isn't anything to fix. Logically, it's acting as intended. That's what NAT reflection does -- it redirects anything that matches the destination on other local interfaces to the port forward target. As to why it didn't function, that may be due to settings in the DNS Resolver/Forwarder not answering queries for those other segments.
Either way, the 'fix' is to not use reflection with that type of rule.
The resolver is answering queries just fine on LAN. Until you set up a NAT rule on WLAN. Sorry, but this behavior is absurd and anything but logical.
P.S. The wiki article screenshotis missing the "Invert Match" checkbox.
Screenshot is fixed.
It may seem absurd to you but what else should it do? There isn't any programmatic way for it to know that isn't what you wanted it to do. It's a NAT rule, reflection was enabled, so it setup reflection rules as it was told to do. It was a configuration error, not a bug.
If the target was allowed to receive and process traffic in all other aspects (e.g. traffic not blocked to 127.0.0.1 on the other interfaces, resolver allowed to answer queries, etc), it would have functioned fine and reflected the traffic on all interfaces that received reflection rules.
Also available in: Atom
PDF
Updated by Kill Bill 
Updated by 