Hybrid NAT Rules malfunction - manual rules not being added

Started by drivera, December 09, 2018, 08:09:28 PM

Previous topic - Next topic
Hi!

The description for what "Hybrid outbound NAT rule generation" does is as follows: Automatically generated rules are applied after manual rules

However, I added some manual rules that I've confirmed aren't being added accordingly.  Adding and removing the rules has no effect: using pfctl -sa produces the same NAT rule output each time.

I don't want to switch to fully manual rule generation if I can avoid it, so I can leverage the system's automatic rules.

Is this a known issue? Perhaps there's a misconfiguration somewhere else tripping me up?

Thoughts?

Thanks!

More details I left out about the manual rules I added (I posted in a hurry, sorry :D):


  • The interface the packets will be outbound on is an OpenVPN client interface (already assigned a static name, and marked as "non-removable")
  • The OpenVPN connection is coming up fine, and appears to be working fine

Regardless of what I do, I can't get the rule generator to create those rules. Or, at least, they're not being listed when using pfctl -sa.

Cheers!

I think I've found the issue.  If I set any destination address as part of the selector for the NAT rule, the NAT rule won't be generated. If I leave the destination address as "any", the rule is generated just fine.

This seems like a bug to me: if destinations aren't supported as part of the rule selector, then one shouldn't be able to set them via the GUI.  If one is able to set them via the GUI, then the rule generator should generate the NAT rules properly.

So - it's either a bug in the rule generator (not applying the destination specification to the rule's "to ..." selector), or a bug in the GUI permitting rule configurations that aren't allowed.

This is on 18.7.8, fully updated.

Thoughts?

Cheers!