Bug #8386
closed
Virtual IPs not considered as part of interface net
0%
Description
Every network interface with ips configured has a variable "INTERFACE net" which can be used in firewall rules to select all associated ips on that interface. Currently, Virtual IPs (and or virtual IP ranges) bound on a INTERFACE are not considered to be part the "net" of that INTERFACE. I would expect that all associated IPs (be it virtual or not) should belong to the "net" of an interface. This can be work around by creating a new alias which includes all network ranges and replacing the "INTERFACE net" variable in the ruleset, but this is error prone, as future Virtual IPs might get forgotten to be added to this new alias.
Updated by Jim Pingle over 4 years ago
- Category set to Rules / NAT
- Status changed from New to Not a Bug
They are included:
On a system with a WAN address of 198.51.100.7/24 and an IP alias VIP of 198.18.0.3/24:
pass in quick on $WAN reply-to ( em0 198.51.100.1 ) inet proto tcp from any to { 198.51.100.0/24 198.18.0.0/24 } tracker 1565797002 flags S/SA keep state label "USER_RULE: test pass to WAN net"