pfSense

Jim Thompson wrote:

assigned to Renato.

see other comments on possible security issues in the Alias code.

What security issues? Where can I find those comments?

The added code uses pass-by-reference. Which could be why this doesn't work, if I understand the issue and resolution correctly. Added a IP alias (192.168.10.1/24) subnet to LAN interface, and a client (192.168.10.10) using it could not access the Internet unless I manually added rules and Outbound NAT rules for that subnet alias.

 function filter_address_add_vips_subnets(&$subnets, $if, $not) {

I might have misunderstood the whole pass-by-reference-thing, but as I said, if I understood the solution correctly, it doesn't work.

Trond Vindenes wrote:

I might have misunderstood the whole pass-by-reference-thing, but as I said, if I understood the solution correctly, it doesn't work.

Can you share your /tmp/rules.debug and /conf/config.xml (without relevant data) with me? You can send it direct to my email if you prefer: renato@pfsense.com

The test vm I used for this test was reset to factory defaults some time after, but I have tried to reproduse it using what I think is the same version.
"2.2-ALPHA (amd64) built on Fri Aug 15 14:31:24 CDT 2014". Will remember to download the files you mentioned at once if I find a similar issue.

What happens now is that I do not need to add a firewall rule on LAN, but I still need to add a outbound NAT rule. Have sent the requested files to your email address.

Applied in changeset 2cff71c43a646075dea76bf269c3e4a1eabcbbf5.

@Renato,

you should make sure that VIPs are applied first in the rules since NAT is a first match, no?