24.1.9 NAT Reflection

Started by danderson, June 18, 2024, 11:36:18 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
June 19, 2024, 05:10:47 PM #15

its this the same problem , why my 1:1 NAT outbound was deleted? only the rule for the 1:1 was deleted , the other nat outbound rules was not deleted.
June 19, 2024, 06:05:18 PM #16
No. And without the rule content it's impossible to say. Best to see what was in your backup WRT "onetoone" contents.


Cheers,
Franco
June 19, 2024, 07:32:01 PM #17
Quick feedback, because I tried the hotfix:

After applying the update I had again the problem, that IPv4 was not reachable.
I saw, that under 1:1 NAT the destination of my entry was not "any" anymore and was filled with the same IP like in source (which was also set before and is correct). This is not correct and the update set the wrong value for destination which wasn´t present before.
Additionally there is also a display error.
The external IP address is not shown in the overview of the 1:1 NAT-rules. You just see it, when you click the edit button of the corresponding 1:1 NAT-rule

In my opinion, the update should not change the destination value from "any" to the same IP-address like in source. And the external IP address should also be shown in the 1:1 NAT overview.

At the moment I don´t know if the hotfix really helped in my case. Maybe I could have reached the same result without the hotfix if I changed the settings before to the correct values. But this is speculation.

I just wanted you to give the feedback that the hotfix didn´t solve anything without touching.
June 19, 2024, 07:37:18 PM #18
Sounds like a different issue. Since we started with "NAT Reflection" this is what I focused on.

If you can let me have the System: Configuration: History diiff block for the migration I'll check out the issue you just mentioned. Best via franco AT opnsense DOT org

Quote from: franco on June 19, 2024, 11:14:36 AM
Can someone with snapshot capability give me a diff of the good 24.1.8 and bad 24.1.9 file /tmp/rules.debug ?

# diff -u old.file new.file

Just to plug this again... if someone wants to chime in because so far nobody did. It's hard to fix issues that are not properly traced.


Cheers,
Franco
June 19, 2024, 08:00:59 PM #19
Hey Franco,

just sent you two diffs to your provided mail address.
Sorry I was working during the day and I thought you already found the issue because you provided the hotfix. This was the reason why I didn´t send to you anymore.

I hope you find the reason.

I think it is this:

New:
<destination_net>any</destination_net>
Old:
-      <destination>
-        <any>1</any>

The syntax changed.
June 19, 2024, 08:09:12 PM #20
Apparently it's a baldy placed typo:

https://github.com/opnsense/core/commit/6cbd3ca15

I'll try to hotfix this and the external target column in the listing as well.



Cheers,
Franco
June 20, 2024, 09:58:06 AM #21
After intense testing with Franco I can confirm, that everything works with the hotfix 24.1.9_3
June 20, 2024, 11:13:37 AM #22
Hello

I waited until today for the update to 24.1.9, including the hotfix (_1), and I confirm that it has rewritten my one-to-one entries by changing my 'destination' addresses.
Basically, 'Internal' and 'Destination' were bearing the same thing.

I did the update from 24.1.8

I manually edited the entries with the correct destinations.
Regards
June 20, 2024, 11:20:01 AM #23
Quote from: smema79 on June 20, 2024, 11:13:37 AM
Hello

I waited until today for the update to 24.1.9, including the hotfix (_1), and I confirm that it has rewritten my one-to-one entries by changing my 'destination' addresses.
Basically, 'Internal' and 'Destination' were bearing the same thing.

I did the update from 24.1.8

I manually edited the entries with the correct destinations.
Regards

I did the same this morning and cannot confirm this behaviour with 24.1.9_3
June 20, 2024, 11:34:16 AM #24
Quote from: smema79 on June 20, 2024, 11:13:37 AM
I waited until today for the update to 24.1.9, including the hotfix (_1), and I confirm that it has rewritten my one-to-one entries by changing my 'destination' addresses.

Yes, this is expected when having landed in 24.1.9 or 24.1.9_1 unfortunately. 24.1.9_3 is out now and that works (coming from below 24.1.9).


Cheers,
Franco
June 25, 2024, 03:49:32 PM #25
Just upgraded from 24.1.8 to 24.1.9_4, and my 1:1 NAT config didn't migrate.

Code Select
--- /conf/backup/config-1716803141.3662.xml 2024-05-27 05:45:41.372306000 -0400
+++ /conf/backup/config-1719321616.8927.xml 2024-06-25 09:20:16.898912000 -0400
@@ -804,19 +804,6 @@
         </created>
       </rule>
     </outbound>
-    <onetoone>
-      <disabled/>
-      <external>**externalVIP**</external>
-      <descr/>
-      <interface>wan</interface>
-      <ipprotocol>inet</ipprotocol>
-      <source>
-        <address>**internalIP**</address>
-      </source>
-      <destination>
-        <any/>
-      </destination>
-    </onetoone>
   </nat>
   <filter>
     <rule uuid="fca06965-4caf-41e4-992a-166d5b00e036">
@@ -2156,8 +2143,8 @@
   </widgets>
   <revision>
     <username>(system)</username>
-    <description>/usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php made changes</description>
-    <time>1716803141.3662</time>
+    <description>/usr/local/opnsense/mvc/script/run_migrations.php made changes</description>
+    <time>1719321616.8927</time>
   </revision>
   <OPNsense>
     <IPsec version="1.0.1">
@@ -2383,10 +2370,11 @@
       <Category version="1.0.0">
         <categories/>
       </Category>
-      <Filter version="1.0.3">
+      <Filter version="1.0.4">
         <rules/>
         <snatrules/>
         <npt/>
+        <onetoone/>
       </Filter>
     </Firewall>
     <Netflow version="1.0.1">
July 09, 2024, 05:55:12 PM #26
Found my issue - the onetoone stanza in my config.xml was still in pfsense format from when I migrated last year.  I toggled the disable box and saved, which made these changes:
Code Select
--- /conf/backup/config-1716803141.3662.xml 2024-05-27 05:45:41.372306000 -0400
+++ /conf/backup/config-1720538699.8016.xml 2024-07-09 11:24:59.854129000 -0400
@@ -805,16 +805,17 @@
       </rule>
     </outbound>
     <onetoone>
-      <disabled/>
       <external>**externalVIP**</external>
+      <category/>
       <descr/>
       <interface>wan</interface>
-      <ipprotocol>inet</ipprotocol>
+      <type>binat</type>
+      <disabled>1</disabled>
       <source>
         <address>**internalIP**</address>
       </source>
       <destination>
-        <any/>
+        <any>1</any>
       </destination>
     </onetoone>
   </nat>
Now that my onetoone config is in OPNsense format, the upgrade from 24.1.8 to 24.1.9_4 migrated the config successfully.
July 10, 2024, 08:32:33 AM #27
Hi Steve,

Ah ok that makes sense. The older code sometimes used empty XML strings are "true" values but our code moved to explicit "0"/"1" where we made considerable changes to the data model.

Empty string eval in PHP empty("") actually is "false" so that's why that was made.


Cheers,
Franco
Print
Go Up Pages 1 2
User actions