PfSense changes subnet in the nat rules!!
-
Does it still happen in 2.5.2? (The current version)
No, I have never seen that. Do you have exact steps to replicate?
Do you see the changes shown in the config history?
Steve
-
@stephenw10 In the configuration history I can't see anything strange, there are only the changes I have made. I don't know if it will happen with 2.5.2, we currently have 2.5.1, but the same problems I had with the version prior to 2.5.1. I try to backup and restore the configuration in a pfsense lab. This firewall manages an entire datacenter, I don't want to have any more problems with my virtual machines
-
@gianluca-0 said in PfSense changes subnet in the nat rules!!:
In the configuration history I can't see anything strange, there are only the changes I have made.
So where are you seeing these rogue changes happen?
Try to spin up a 2.5.2 VM and replicate it there if you can.
Steve
-
@stephenw10 It all started when I changed some Nat rules which have TCP / UDP protocols with TCP. Pfsense changed all other rules with TCP / UDP from single host in destination address to network with subnet / 31. When I have some time I will install a VM with Pfsense version 2.5.2 and restore my configuration and try to replicate the problems.
-
What I mean is did you see those changes to all the other rules reflected in the config diffs. Or could it be a display issue?
And you saw this on other NAT rules? I assume port forwards? Or the associated firewall rules?Steve
-
This makes no sense at all.. And sure can not duplicate the problem in 2.5.2 per how I am understanding what your saying the problem is.
I created 3 test rules all using tcp/udp.. You can see the gui rules, and what the actual rules are. I then changed one of those rules to tcp only.. All looks normal to me..
Am I not understanding what your problem is - screenshots showing exactly what your saying the problem is would be most helpful.
-
@stephenw10 I haven't checked yet inside the diffs configuration, but I presume that inside I can see the changes. And yes, the issue is reflected in other Nat rules not connected with that I changed.
-
@johnpoz you did this in a clean install, we are using the same setup we started about 5 years ago.
-
@johnpoz try to see inside the rules in network, and look if it has been changed to /31. In the list of Nat Rules is not always showing the subnet changed.
-
Mmm, I can't replicate it either.
That is what you're doing though? On your system making that change to one port forward changed all of them and set the destination to /31?
-
@stephenw10 in all rules that have TCP/UDP, Pfsense change only the destination network subnet to /31, I repeat, previously configured has singles host, to network address /31.
-
If it's actually set to a /31 subnet it will show as that there:
Are you sure this is not your browser auto-fill setting some fields when you edit the rule?
-
@gianluca-0 said in PfSense changes subnet in the nat rules!!:
try to see inside the rules in network
Those are the wan rules.. Here our the nat rules
Yes this is a clean install of 2.5.2.. Sorry don't have a 5 year old test setup that I have kept updating over the years ;) heheh
-
@stephenw10 yes :) I'm sure..I understand what you're meaning. And autofill can not change from single host to network address and also change subnet to /31 (I think).
-
anyway, I need some time to build a new Pfsense virtual machine and restore my configuration, so see what happened. Pfsense is not owned by us, we have a manager user but we cannot log in with ssh for example.
-
There is something slightly odd there in 2.5.2/21.05.1. If you set the destination as network the list of subnet sizes includes /32 and also /31 twice!
However selecting them doesn't seen to cause a problem. And it's fixed in 2.6/21.09.
Steve
-
@stephenw10 but that Nat rules are single hosts, so / 32 is implied.
-
Exactly. If you set /32 there it just goes back to single host. It should not appear in that list as a 'network' but selecting it does no harm.
Steve
-
@stephenw10 said in PfSense changes subnet in the nat rules!!:
If you set the destination as network the list of subnet sizes includes /32 and also /31 twice!
Where are you seeing this? Looking on nat and firewalls - I do not see that
Oh I see it on 21.05.1 but not my test 2.5.2 box..
But only in the nat, not firewall rules..
-
Yeah, I was testing in 21.05.1. I assume it would affect both. Hmm.
Either way it's fixed in 21.09 so...