Error Loading Rules - Only when using an Alias in NAT rule



  • Hi,

    I'm having a problem when I try to deploy a particular NAT configuration. Basically I'm doing the DNS redirect that's documented here but instead of using ! LAN Network I'm trying to use ! Allowed_DNS where Allowed_DNS is an IP Alias I have defined (and working in the config in other parts) just fine.

    Here's what I try to deploy:

    overview.PNG

    Here's the rule close up:

    Failed.PNG

    And here's the rule when it works just fine:

    works.PNG

    For clarity, here's my Alias

    aliases.PNG

    Note that this Alias references other aliases, but any other alias it does reference is just a list of IPs. There's no alias referencing aliases referencing aliases, even though I can't see why that'd matter.

    So when I try to deploy the rule using ! Allowed_DNS this is what ends up being created in /tmp/rules.debug

    # NAT Inbound Redirects
    rdr on vtnet1 proto { tcp udp } from any to ! $Allowed_DNS port 53 -> 192.168.0.6
    no nat on vtnet1 proto { tcp udp } from (vtnet1) to 192.168.0.6 port port
    

    Notice the port port there at the end of the second line? That is obviously the cause of the error. If I remove ! Allowed_DNS and replace it with !LAN Address this is the config that's created:

    # NAT Inbound Redirects
    rdr on vtnet1 proto { tcp udp } from any to !192.168.0.1 port 53 -> 192.168.0.6
    no nat on vtnet1 proto { tcp udp } from (vtnet1) to 192.168.0.6 port 53
    

    It now says port 53, as it should.

    I don't know if it's any use, but this is the error pfSense gives me when I try to deploy the ! Allowed_DNS version:

    There were error(s) loading the rules: /tmp/rules.debug:147: syntax error - The line in question reads [147]: no nat on vtnet1 proto { tcp udp } from (vtnet1) to 192.168.0.6 port port
    @ 2019-11-13 21:30:22
    

    Finally, here's (a tiny bit sanitised) details of my pfSense box:

    Name 	<removed>
    User 	admin@192.168.0.120 (Local Database)
    System 	pfSense
    Netgate Device ID: <removed>	
    BIOS 	Vendor: SeaBIOS
    Version: rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org
    Release Date: Tue Apr 1 2014
    Version 	2.4.4-RELEASE-p3 (amd64)
    built on Wed May 15 18:53:44 EDT 2019
    FreeBSD 11.2-RELEASE-p10
    
    The system is on the latest version.
    Version information updated at Wed Nov 13 20:20:37 NZDT 2019  
    CPU Type 	Intel(R) Core(TM) i5-5250U CPU @ 1.60GHz
    2 CPUs: 1 package(s) x 2 core(s)
    AES-NI CPU Crypto: Yes (active)
    Hardware crypto 	AES-CBC,AES-XTS,AES-GCM,AES-ICM
    Kernel PTI 	Disabled
    Uptime 	22 Days 15 Hours 44 Minutes 43 Seconds
    

    Can anyone give me some pointers? What am I doing wrong that's causing the odd "port port" at the end of the line?

    Thanks!
    Tim

    Note: Dear Askimet I promise this is not a spam post!



  • I'm thinking I should log a bug about this - the fact I can do something in the GUI that generates a faulty rules.debug makes me thing it's redmine worthy.

    I am, however, also aware that Redmine is not for technical support.

    What do people think, is this

    a) A valid bug
    b) User error

    ?

    Thanks!
    Tim


Log in to reply