10.7.6 NAT issue

Started by noses, October 30, 2018, 12:41:28 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 30, 2018, 12:41:28 PM
If a NAT forwarding rule is using an alias as "Redirect target port" instead of entering it directly the port is not added to the generated pf rule. It was still working in 10.7.3...

noses.
October 30, 2018, 01:34:32 PM #1
Hi there,

We need more information about the alias, type, contents, if this applies to existing rules or only editing/creating rules.


Cheers,
Franco
October 31, 2018, 04:55:22 PM #2
Quote from: noses on October 30, 2018, 12:41:28 PM
If a NAT forwarding rule is using an alias as "Redirect target port" instead of entering it directly the port is not added to the generated pf rule. It was still working in 10.7.3...

noses.

I may have the same problem.  I just did multiple updates from 18.1 to 18.7.6 so can't say which update broke it.

I have 1 NAT Port forward that stopped working after the updates.
The forward is traffic to the WAN interface with a destination port of 6060 redirect to an internal host,  port 8080.
This traffic gets stopped by the default deny rule.  This is my only forward where the dest port gets forwarded to a different port on the inside host. Similar rules that have the same port on the dest host, still work.
October 31, 2018, 05:13:26 PM #3
I deleted the WAN rule, and the port forward and re-created, same issue.
November 01, 2018, 01:17:05 AM #4
Some more info, hope it's helpful or you can tell me to stfu :)

I have other forwards where the inside host is a different port than the destination i.e.  wan:3399 non standard port with an alias goes to an inside host at standard rdp 3389. These work.
Also non-standard port with an alias that are the same destination port wan  and inside host.

What doesn't work is 2 non-standard port aliases that are different.  wan:6060 alias to inside host 8080 alias.

That's all I got.


November 05, 2018, 10:29:31 PM #5
Exact same problem here. Had to restore to a previous backup... thanks God for VM and Veeam
November 08, 2018, 02:03:30 PM #6
Quote from: franco on October 30, 2018, 01:34:32 PM
We need more information about the alias, type, contents, if this applies to existing rules or only editing/creating rules.

Existing rules didn't work after upgrading, new rules neither. The alias was of course a port number and contained exactly one port. So: Create an alias for a port number (e. g. HTTP_proxy as 3128, create a rule (e. g.  from port 10080 on the local host to HTTP_proxy on the local host) and check the pf rule generated and you will find the destination port missing.
November 08, 2018, 03:32:42 PM #7
I confirm: if dest port is different than NAT port and an alias is used for NAT port, the FW rule generator places dest port (WAN port) in place of NAT port in the associated FW rule, so the rule is not matching traffic, and datagrams are droped by "Default deny rule".
November 08, 2018, 04:35:46 PM #8
November 09, 2018, 10:04:43 AM #9
Just tested, it's OK now!
Thank you, you hard workers, really thank you! :)
November 09, 2018, 01:04:37 PM #10
Whew, ok, thanks! 8)
Print
Go Up Pages1
User actions