NAT rules went missing afer config restore
-
Hi Guys,
I was running 2.2.5 (32-bit) on a WatchGuard x750e but have been having issues with the network ports locking up so I decided today was the day to move the firewall to a KVM virtual machine (64-bit). I backed up my configuration from 2.2.5 and restored it on a new 2.3 install since I figured might as well try the ALPHA release and check out the new GUI.
When the config was restored I had to change some of the interface assignments and removed some unused ones, but all off the settings came over properly, with the exception of the NAT section. See the screen shot I attached, there are no port forwards, no 1:1 NAT and no manual outbound NAT rules.
I did a backup of the 2.3 config and there is no <nat>section in the XML and also have the original 2.2.5 config which I can share but since it contains all of my public IPs I would rather not post them here.
Has anyone else had this happen? I can open a bug if needed.
Thanks,
Robbert
</nat>
-
if you can replicate this behavior and the nat section is there in the original bug: file a bug report
i've only done in-place upgrades, and in my case it worked … but perhaps theres an issue when importing a config somehow.
-
Thanks, will spin up another VM and try restoring the configuration again. If it does it again I will open a bug.
Is there a tool to remove sensitive information from a configuration file so I can easily upload it?
Thanks,
Robbert
-
I have exported my 2.3 config a couple of times, done reset to factory defaults to test some factory defaults behavior, then restored the config. The NAT section appears in the saved config and has been restored onto the box.
-
@rrijkse:
Is there a tool to remove sensitive information from a configuration file so I can easily upload it?
status.php will trim out passwords, hashes, certs, PSKs and similar things though that may still leave more than you'll want to make publicly available. You can mark a bug ticket as private, in which case we can download the attachment, delete it, and then make the ticket non-private.
-
Thanks I grabbed the status_output file generated on the 2.2.5 install and tried a couple of times to reproduce it, but haven't been able to. I guess it was just a one-time thing. If you want I can open a private bug with the original 2.2.5 and post upgrade 2.3 config without the NAT section but not sure how useful this will be without the logs.
Thanks,
Robbert
-
If it's not replicable there won't be anything we can do. If you find a means of replicating, definitely open a bug please.
-
I'd be interested to know if the NAT entries are actually in your 2.2.5 config that you backed up.
-
They were definitely in the backup of the config, the first couple of lines are below. I think I may know how the section was removed, but will have to confirm tomorrow since it's rather late.
<nat><outbound><mode>advanced</mode> <rule><source> <network>10.0.0.0/8</network></rule></outbound></nat> -
So why are you looking at the 'Port Forward' tab when what you posted should be under the 'Outbound' tab?
-
From my first post:
there are no port forwards, no 1:1 NAT and no manual outbound NAT rules.
There was nothing in any of the Tab's under NAT. The Port Forward, 1:1, Outbound or Npt.
I had 10 port forwards configured, two 1:1 NAT's, 4 Manual Outbound NAT and 1 Npt, which were all gone when I imported the configuration.
I did not post all of the NAT section from my old config since it contains all the public IPs.
Thanks,
Robbert
-
Dude, what you posted is "manual outbound NAT". If there are no NAT rules, then what is missing?! Once again, the screenshot posted here is totally useless. There's not supposed to be ANY entry of ANY of those things you mentioned.
-
Yeah the 1:1 and port forwards would generally come before the outbound NAT, that <nat>config snippet indeed looks like it had no port forwards or 1:1 defined.</nat>
-
To stop the confusion I have attached the entire NAT section of the 2.2.5 config that I backed up (I also have a status_output.tgz file from the 2.2.5 box if you want me to share that with you). Hopefully this will shed some more light on this issue since the order of the NAT section is:
1. Outbound NAT
2. 1:1 NAT
3. Port Forward
4. NPtThese are the steps I took originally but have not been able to reproduce this issue since then.
1. Backup the configuration on a 2.2.5 machine, with RRD data, without packages
2. Shutdown the machine
3. Install 2.3-ALPHA image on a new machine
4. Assign a temp IP to LAN interface
5. Skip the Wizard
6. Restore the configuration, with all areas selected (default)
7. I was prompted to fix the interface assignments, since the 2.2.5 box was not the same as the 2.3 box. So I fixed the assignments, PPPoE and VLAN settings.
8. Checked the NAT section, all the tabs are empty, even after a reboot.Thanks,
Robbert