Actions
Bug #7614
closed
Port forwards where the destination is a network alias can create invalid refection rules if multiple subnets are in that alias.
Start date:
05/30/2017
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All
Description
For example if the chosen destination is 'WAN net' and there is a VIP on the WAN in the different subnet.
NAT reflection is enabled and "Enable automatic outbound NAT for Reflection" is also enabled.
The rule created might be:
- NAT Inbound Redirects
rdr on igb1 proto tcp from any to { 172.21.16.0/24 175.65.58.9/32 } port 5201 -> 192.168.211.10 - Reflection redirect
rdr on { igb0 igb4_vlan1002 igb5_vlan1003 openvpn } proto tcp from any to { 172.21.16.0/24 175.65.58.9/32 } port 5201 -> 192.168.211.10
no nat on igb0 proto tcp from igb0 to 192.168.211.10 port 175.65.58.9/32
nat on igb0 proto tcp from 192.168.211.0/24 to 192.168.211.10 port 175.65.58.9/32 -> 192.168.211.1 port 1024:65535
The additional IP/subnet is placed in the port variable position resulting in an invalid ruleset.
Updated by Viktor Gurov 
Updated by
Actions