OPNsense Forum

Archive => 16.1 Legacy Series => Topic started by: packet loss on January 30, 2016, 04:28:13 am

Title: [SOLVED] Purpose for hiding NAT rules from normal rules screen?
Post by: packet loss on January 30, 2016, 04:28:13 am
After upgrading to 16.1 from from the lastest 15 production release using the webgui I encountered a port forwarding issue. My Xbox One nat turned to moderate from open which was very unusual. I couldn't see any of the normal rules generated from the NAT rules which I had previously created. It appears you modified the code in the 16.1 release:

" firewall: hide NAT rules from normal rules screen"

I restored a saved OPNsense config file and my Xbox nat returned to open from moderate. The normal rules were still hidden but it fixed the port forwarding issue. What was the purpose of hiding the normal NAT generated rules?
Title: Re: Purpose for hiding NAT rules from normal rules screen?
Post by: AdSchellevis on January 30, 2016, 09:33:14 am
You can find the discussion here https://github.com/opnsense/core/issues/695 (https://github.com/opnsense/core/issues/695)
The problem is nat rules generate firewall rules that can't be edited, because they miss most of the content to make it valid, so the decision was made to hide those special cases here (they are after all visible in you nat section).

Our upgrade didn't supply any data migrations, so it shouldn't have changed anything in your config.
Title: Re: Purpose for hiding NAT rules from normal rules screen?
Post by: franco on January 30, 2016, 02:19:12 pm
I don't understand this. The fix was to hide rules that were display in the rules view by accident, the real rule is displayed under port forward and is still fully functional.

Explanations aside, changing the display in the GUI does not affect the config.xml nor the backend filter so a bug that directly relates to this change is impossible.

It would be good to know how the faulty config and the one you restored to differ in terms of NAT/rule configuration.
Title: Re: Purpose for hiding NAT rules from normal rules screen?
Post by: packet loss on January 31, 2016, 01:22:04 am
Since I seem to be the only one to report this issue, I would say lets assume it's user error at this point.
Title: Re: [SOLVED] Purpose for hiding NAT rules from normal rules screen?
Post by: packet loss on February 05, 2016, 07:23:40 pm
What are the chances of there being an option to display NAT generated normal rules? By default they could be hidden but can be displayed maybe using either a toggle button or setting.
Title: Re: [SOLVED] Purpose for hiding NAT rules from normal rules screen?
Post by: AdSchellevis on February 05, 2016, 07:34:54 pm
I kind of forgot about this forum thread, but the behaviour of the nat rules is changed in the latest version because it has some other disadvantages of not seeing the rules generated here (like when using defective configs).

This commit changed it:
https://github.com/opnsense/core/commit/e1dd1839931ca804970a2f9b9b4c1237160adcca#diff-3ede0f3f1915131865cd1d7539e4a7e1 (https://github.com/opnsense/core/commit/e1dd1839931ca804970a2f9b9b4c1237160adcca#diff-3ede0f3f1915131865cd1d7539e4a7e1)

Now you can see the rules, but not edit or duplicate them.
Title: Re: [SOLVED] Purpose for hiding NAT rules from normal rules screen?
Post by: packet loss on February 05, 2016, 08:25:23 pm
Good news. Thanks for the update. That's the primary reason why I wanted to see the rules.
Title: Re: [SOLVED] Purpose for hiding NAT rules from normal rules screen?
Post by: franco on February 06, 2016, 12:08:42 pm
It's not entirely good news. It means there is an inconsistency in the rules code since at least 5 years. So this is not a fix, it's a workaround for setups that silently break with very old rulesets that predate OPNsense. We will have to restructure this for 16.7 to make proper progress on this front, Im afraid. :(
Title: Re: [SOLVED] Purpose for hiding NAT rules from normal rules screen?
Post by: packet loss on February 07, 2016, 02:46:03 am
Understood. Yes I'm aware there is an issue(s) but for now it will be easier to identify problems. I've encountered a few issues such as being able to overlap used port rules and able to duplicate rules which obviously shouldn't be allowed. This was back a few releases ago and I haven't had the time to experiment at all lately. I noticed some of these issues when I was setting up port forwarding for my Xbox One. If I get the time maybe I might be able to reproduce those issues and report back. At this point since I haven't done any real testing with the 16.1 build, but when I get some time I will do my best to identify any issues if there's any at all.