NAT Forward Rules for other protocols: IPIP



  • I noticed that in the drop-down box for a NAT forward rule, the following are listed:

    TCP
    UDP
    TCP/UDP
    ICMP
    ESP
    AH
    GRE
    IPV6
    IGMP
    PIM
    OSPF

    https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers

    Of notable exclusion is IPIP (type 4), which is very much in active use by 44net aka ampr.org.

    I am of the opinion that if the protocol types are going to be limited to the top 12, the last option should be a custom or advanced option and a custom field number entered.

    Without the ability to forward the IPIP tunnel to another host for processing or tunnel termination, that prevents any of the 44net users from being able to connect from behind a pfSense firewall and excludes pfSense from being used as a firewall by those folks.

    44net is 44.0.0.0/8 across the entire world. 44/8 is world-routable and allocated, and that's a lot of possible users to disenfranchise.

    Likewise:
    0x61 97 ETHERIP Ethernet-within-IP Encapsulation (EoIP)
    0x62 98 ENCAP Encapsulation Header
    0x7C 124 IS-IS over IPv4
    0x85 133 FC FCoE
    etc.

    This is apparently a well-enough known issue that Amprnet participants are distributing fixes among themselves: http://www.qsl.net/kb9mwr/wapr/tcpip/pfsense.html



  • I second this suggestion. I'm trying to work with some protocols not in that list (among the most important is SCTP). Firewall has a larger list, but NAT limits the possibility.


  • Rebel Alliance Developer Netgate

    There isn't any specific reason I'm aware of we don't include more protocols there, except that few people have asked for them (or none at all).

    Only special consideration is that only TCP and UDP have a concept of ports, everything else should just forward in. Same with rules, the list isn't exhausive mostly for convenience, but technically pf can forward/filter any valid protocol as far as I'm aware. No documented limits I could see.

    We could suck in the contents of /etc/protocols and massage it into something usable and tack it on the end of the drop-down, perhaps.


  • Galactic Empire

    @jimp

    How about people just adding the protocol number like the custom ports ?


  • Rebel Alliance Developer Netgate

    Then we'd need a completely new GUI control that would allow both drop-down and text input (like we have for ports, for example), and that's a bit more complicated to get into. Also it's valid to specify the protocol names, and people are not as likely to remember the numbers compared to the names.