Project

General

Profile

Actions
Copy link

Bug #9446

closed

Filter reload error with NAT reflection enabled

Added by Jim Pingle over 5 years ago. Updated over 5 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Jim Pingle
Category:
Rules / NAT
Target version:
2.4.4-p3
Start date:
04/01/2019
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.5.0
Affected Architecture:
All

Description

Recent 2.5.0 snap, hit this on reboot:

/tmp/rules.debug:112: rule expands to no valid combination


112:no nat on vmx1 proto tcp from vmx1 to 10.6.0.10 port 22

And several more like it.

Looks like the interface name as a source needs parens, so from (vmx1).

Actions
Copy link
 #1

Updated by Jim Pingle over 5 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions
Copy link
 #2

Updated by Chris Linstruth over 5 years ago

Getting parens on that interface. No rule loading errors:
eg. no nat on vtnet0 proto tcp from (vtnet0) to 172.25.236.240 port 8443

Actions
Copy link
 #3

Updated by Jim Pingle over 5 years ago

  • Status changed from Feedback to Resolved
Actions
Copy link
 #4

Updated by Jim Pingle over 5 years ago

  • Target version changed from 2.5.0 to 2.4.4-p3
Actions
Copy link
 #5

Updated by Jim Pingle over 5 years ago

  • Status changed from Resolved to Feedback
Actions
Copy link
 #6

Updated by Chris Linstruth over 5 years ago

2.4.4-p3 looks good:

  1. Reflection redirects and NAT for 1:1 mappings
    rdr on { vtnet0 vtnet2 enc0 openvpn } from any to 172.25.228.253 -> 172.25.233.101 bitmask
    no nat on vtnet0 from (vtnet0) to 172.25.233.101
    nat on vtnet0 from 172.25.233.0/24 to 172.25.233.101 -> 172.25.233.1 port 1024:65535
Actions
Copy link
 #7

Updated by Jim Pingle over 5 years ago

  • Status changed from Feedback to Resolved
Actions
Copy link

Also available in: Atom PDF