Feature #983
closedImprove/Enhance IP Alias VIP handling in GUI
100%
Description
IP Alias subnets should probably be included when choosing "(interface) Subnet" shortcuts, and should probably also be included in automatic outbound NAT rules.
Noticed here:
http://forum.pfsense.org/index.php/topic,29616.msg153487.html#msg153487
Updated by Jim Pingle almost 12 years ago
- Target version set to 2.2
They are included in automatic outbound NAT now, but not the interface macro.
Updated by Jim Thompson over 10 years ago
- Assignee set to Renato Botelho
assigned to Renato.
see other comments on possible security issues in the Alias code.
Updated by Renato Botelho over 10 years ago
Jim Thompson wrote:
assigned to Renato.
see other comments on possible security issues in the Alias code.
What security issues? Where can I find those comments?
Updated by Renato Botelho over 10 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset 1b37ae46e73fed8db8ca6c5cc67988a369a738b8.
Updated by Trond Vindenes over 10 years ago
The added code uses pass-by-reference. Which could be why this doesn't work, if I understand the issue and resolution correctly. Added a IP alias (192.168.10.1/24) subnet to LAN interface, and a client (192.168.10.10) using it could not access the Internet unless I manually added rules and Outbound NAT rules for that subnet alias.
function filter_address_add_vips_subnets(&$subnets, $if, $not) {
Updated by Trond Vindenes over 10 years ago
I might have misunderstood the whole pass-by-reference-thing, but as I said, if I understood the solution correctly, it doesn't work.
Updated by Renato Botelho over 10 years ago
Trond Vindenes wrote:
I might have misunderstood the whole pass-by-reference-thing, but as I said, if I understood the solution correctly, it doesn't work.
Can you share your /tmp/rules.debug and /conf/config.xml (without relevant data) with me? You can send it direct to my email if you prefer: renato@pfsense.com
Updated by Trond Vindenes over 10 years ago
The test vm I used for this test was reset to factory defaults some time after, but I have tried to reproduse it using what I think is the same version.
"2.2-ALPHA (amd64) built on Fri Aug 15 14:31:24 CDT 2014". Will remember to download the files you mentioned at once if I find a similar issue.
What happens now is that I do not need to add a firewall rule on LAN, but I still need to add a outbound NAT rule. Have sent the requested files to your email address.
Updated by Renato Botelho over 10 years ago
Applied in changeset 2cff71c43a646075dea76bf269c3e4a1eabcbbf5.
Updated by Ermal Luçi over 10 years ago
@Renato,
you should make sure that VIPs are applied first in the rules since NAT is a first match, no?
Updated by Chris Buechler about 10 years ago
- Status changed from Feedback to Resolved
works, nice improvement for ease of use.