10.7.6 NAT issue

[noses]

If a NAT forwarding rule is using an alias as "Redirect target port" instead of entering it directly the port is not added to the generated pf rule. It was still working in 10.7.3...

noses.

[franco]

Hi there,

We need more information about the alias, type, contents, if this applies to existing rules or only editing/creating rules.


Cheers,
Franco

[The_Penguin]

If a NAT forwarding rule is using an alias as "Redirect target port" instead of entering it directly the port is not added to the generated pf rule. It was still working in 10.7.3...

noses.

I may have the same problem.  I just did multiple updates from 18.1 to 18.7.6 so can't say which update broke it.

I have 1 NAT Port forward that stopped working after the updates.
The forward is traffic to the WAN interface with a destination port of 6060 redirect to an internal host,  port 8080.
 This traffic gets stopped by the default deny rule.  This is my only forward where the dest port gets forwarded to a different port on the inside host. Similar rules that have the same port on the dest host, still work.

[The_Penguin]

I deleted the WAN rule, and the port forward and re-created, same issue.

[The_Penguin]

Some more info, hope it's helpful or you can tell me to stfu

I have other forwards where the inside host is a different port than the destination i.e.  wan:3399 non standard port with an alias goes to an inside host at standard rdp 3389. These work.
Also non-standard port with an alias that are the same destination port wan  and inside host.

What doesn't work is 2 non-standard port aliases that are different.  wan:6060 alias to inside host 8080 alias.

That's all I got.

[tetzschner]

Exact same problem here. Had to restore to a previous backup... thanks God for VM and Veeam

[noses]

We need more information about the alias, type, contents, if this applies to existing rules or only editing/creating rules.

Existing rules didn't work after upgrading, new rules neither. The alias was of course a port number and contained exactly one port. So: Create an alias for a port number (e. g. HTTP_proxy as 3128, create a rule (e. g.  from port 10080 on the local host to HTTP_proxy on the local host) and check the pf rule generated and you will find the destination port missing.

[Ciprian]

I confirm: if dest port is different than NAT port and an alias is used for NAT port, the FW rule generator places dest port (WAN port) in place of NAT port in the associated FW rule, so the rule is not matching traffic, and datagrams are droped by "Default deny rule".

[franco]

Please try again on 18.7.7:

https://github.com/opnsense/changelog/blob/61cbcc863ca66b978ed2c698d71f91a56b0c9e79/doc/18.7/18.7.7#L38


Cheers,
Franco

[Ciprian]

Just tested, it's OK now!
Thank you, you hard workers, really thank you!

[franco]

Whew, ok, thanks!