OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: noses on October 30, 2018, 12:41:28 pm

Title: 10.7.6 NAT issue
Post by: noses on October 30, 2018, 12:41:28 pm
If a NAT forwarding rule is using an alias as "Redirect target port" instead of entering it directly the port is not added to the generated pf rule. It was still working in 10.7.3...

noses.
Title: Re: 10.7.6 NAT issue
Post by: franco on October 30, 2018, 01:34:32 pm
Hi there,

We need more information about the alias, type, contents, if this applies to existing rules or only editing/creating rules.


Cheers,
Franco
Title: Re: 10.7.6 NAT issue
Post by: The_Penguin on October 31, 2018, 04:55:22 pm
If a NAT forwarding rule is using an alias as "Redirect target port" instead of entering it directly the port is not added to the generated pf rule. It was still working in 10.7.3...

noses.

I may have the same problem.  I just did multiple updates from 18.1 to 18.7.6 so can't say which update broke it.

I have 1 NAT Port forward that stopped working after the updates.
The forward is traffic to the WAN interface with a destination port of 6060 redirect to an internal host,  port 8080.
 This traffic gets stopped by the default deny rule.  This is my only forward where the dest port gets forwarded to a different port on the inside host. Similar rules that have the same port on the dest host, still work.
Title: Re: 10.7.6 NAT issue
Post by: The_Penguin on October 31, 2018, 05:13:26 pm
I deleted the WAN rule, and the port forward and re-created, same issue.
Title: Re: 10.7.6 NAT issue
Post by: The_Penguin on November 01, 2018, 01:17:05 am
Some more info, hope it's helpful or you can tell me to stfu :)

I have other forwards where the inside host is a different port than the destination i.e.  wan:3399 non standard port with an alias goes to an inside host at standard rdp 3389. These work.
Also non-standard port with an alias that are the same destination port wan  and inside host.

What doesn't work is 2 non-standard port aliases that are different.  wan:6060 alias to inside host 8080 alias.

That's all I got.


Title: Re: 10.7.6 NAT issue
Post by: tetzschner on November 05, 2018, 10:29:31 pm
Exact same problem here. Had to restore to a previous backup... thanks God for VM and Veeam
Title: Re: 10.7.6 NAT issue
Post by: noses on November 08, 2018, 02:03:30 pm
We need more information about the alias, type, contents, if this applies to existing rules or only editing/creating rules.

Existing rules didn't work after upgrading, new rules neither. The alias was of course a port number and contained exactly one port. So: Create an alias for a port number (e. g. HTTP_proxy as 3128, create a rule (e. g.  from port 10080 on the local host to HTTP_proxy on the local host) and check the pf rule generated and you will find the destination port missing.
Title: Re: 10.7.6 NAT issue
Post by: hutiucip on November 08, 2018, 03:32:42 pm
I confirm: if dest port is different than NAT port and an alias is used for NAT port, the FW rule generator places dest port (WAN port) in place of NAT port in the associated FW rule, so the rule is not matching traffic, and datagrams are droped by "Default deny rule".
Title: Re: 10.7.6 NAT issue
Post by: franco on November 08, 2018, 04:35:46 pm
Please try again on 18.7.7:

https://github.com/opnsense/changelog/blob/61cbcc863ca66b978ed2c698d71f91a56b0c9e79/doc/18.7/18.7.7#L38


Cheers,
Franco
Title: Re: 10.7.6 NAT issue
Post by: hutiucip on November 09, 2018, 10:04:43 am
Just tested, it's OK now!
Thank you, you hard workers, really thank you! :)
Title: Re: 10.7.6 NAT issue
Post by: franco on November 09, 2018, 01:04:37 pm
Whew, ok, thanks! 8)