Actions
Bug #7614
closed
Port forwards where the destination is a network alias can create invalid refection rules if multiple subnets are in that alias.
Start date:
05/30/2017
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All
Description
For example if the chosen destination is 'WAN net' and there is a VIP on the WAN in the different subnet.
NAT reflection is enabled and "Enable automatic outbound NAT for Reflection" is also enabled.
The rule created might be:
- NAT Inbound Redirects
rdr on igb1 proto tcp from any to { 172.21.16.0/24 175.65.58.9/32 } port 5201 -> 192.168.211.10 - Reflection redirect
rdr on { igb0 igb4_vlan1002 igb5_vlan1003 openvpn } proto tcp from any to { 172.21.16.0/24 175.65.58.9/32 } port 5201 -> 192.168.211.10
no nat on igb0 proto tcp from igb0 to 192.168.211.10 port 175.65.58.9/32
nat on igb0 proto tcp from 192.168.211.0/24 to 192.168.211.10 port 175.65.58.9/32 -> 192.168.211.1 port 1024:65535
The additional IP/subnet is placed in the port variable position resulting in an invalid ruleset.
Updated by Viktor Gurov almost 5 years ago
Updated by Jim Pingle almost 5 years ago
- Status changed from New to Pull Request Review
- Target version set to 2.5.0
Updated by Viktor Gurov over 4 years ago
- Status changed from Pull Request Review to Resolved
resolved by https://redmine.pfsense.org/issues/10246
tested on 2.4.5 and 2.5.0.a.20200409.0657
Actions