Project

General

Profile

Actions

Feature #983

closed

Improve/Enhance IP Alias VIP handling in GUI

Added by Jim Pingle almost 11 years ago. Updated almost 7 years ago.

Status:
Resolved
Priority:
Normal
Category:
Virtual IP Addresses
Target version:
Start date:
11/01/2010
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:

Description

IP Alias subnets should probably be included when choosing "(interface) Subnet" shortcuts, and should probably also be included in automatic outbound NAT rules.

Noticed here:
http://forum.pfsense.org/index.php/topic,29616.msg153487.html#msg153487

Actions #1

Updated by Jim Pingle over 8 years ago

  • Target version set to 2.2

They are included in automatic outbound NAT now, but not the interface macro.

Actions #2

Updated by Jim Thompson over 7 years ago

  • Assignee set to Renato Botelho

assigned to Renato.

see other comments on possible security issues in the Alias code.

Actions #3

Updated by Renato Botelho about 7 years ago

Jim Thompson wrote:

assigned to Renato.

see other comments on possible security issues in the Alias code.

What security issues? Where can I find those comments?

Actions #4

Updated by Renato Botelho about 7 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #5

Updated by Trond Vindenes about 7 years ago

The added code uses pass-by-reference. Which could be why this doesn't work, if I understand the issue and resolution correctly. Added a IP alias (192.168.10.1/24) subnet to LAN interface, and a client (192.168.10.10) using it could not access the Internet unless I manually added rules and Outbound NAT rules for that subnet alias.

 function filter_address_add_vips_subnets(&$subnets, $if, $not) {
Actions #6

Updated by Trond Vindenes about 7 years ago

I might have misunderstood the whole pass-by-reference-thing, but as I said, if I understood the solution correctly, it doesn't work.

Actions #7

Updated by Renato Botelho about 7 years ago

Trond Vindenes wrote:

I might have misunderstood the whole pass-by-reference-thing, but as I said, if I understood the solution correctly, it doesn't work.

Can you share your /tmp/rules.debug and /conf/config.xml (without relevant data) with me? You can send it direct to my email if you prefer:

Actions #8

Updated by Trond Vindenes about 7 years ago

The test vm I used for this test was reset to factory defaults some time after, but I have tried to reproduse it using what I think is the same version.
"2.2-ALPHA (amd64) built on Fri Aug 15 14:31:24 CDT 2014". Will remember to download the files you mentioned at once if I find a similar issue.

What happens now is that I do not need to add a firewall rule on LAN, but I still need to add a outbound NAT rule. Have sent the requested files to your email address.

Actions #10

Updated by Ermal Luçi about 7 years ago

@Renato,

you should make sure that VIPs are applied first in the rules since NAT is a first match, no?

Actions #11

Updated by Chris Buechler almost 7 years ago

  • Status changed from Feedback to Resolved

works, nice improvement for ease of use.

Actions

Also available in: Atom PDF