Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Strange behaviour with NAT, reflection and protocols like ESP

    Scheduled Pinned Locked Moved NAT
    1 Posts 1 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kionez
      last edited by

      Hi all,

      today i noticed a strange behaviour on my pfSense 1.2-Release box.

      I use NAT reflection to allow users on LAN to access on my public Webserver, I also nat VPN\Ipsec traffic to another VPN server (forwarding port udp\500 udp\4500 and ESP protocol).

      When pfSense (/etc/filter.inc) recreate the rules and inetd.conf for redirect (rdr) traffic, it make a mistake when it found a rule for a protocol in the first places of Nat rules, for example, in "Firewall: NAT: Port Forward" i have something like:
      "WAN2  ESP  192.168.2.7  (ext.: 10.10.10.1)  VPN-esp" in the first line.

      So when pfSense regenerates and reloads its rules, I see in /tmp/rules.debug some wrong data, such as protocol mismatch in next rules, or port mismatch.

      It seems that if filter.inc has to create a "rdr" rule about a protocol (such as ESP or GRE), whitout ports, it counts a wrong number of localport (1900x) and do some mistake in protocol matching.

      Is possible to disable redirection\reflection selectively on each rule? or is possible to disable it when the user choose to "nat" a protocol?

      k.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.