Error Loading Rules - Only when using an Alias in NAT rule

A Former User · Nov 13, 2019, 8:53 AM

Hi,

I'm having a problem when I try to deploy a particular NAT configuration. Basically I'm doing the DNS redirect that's documented here but instead of using ! LAN Network I'm trying to use ! Allowed_DNS where Allowed_DNS is an IP Alias I have defined (and working in the config in other parts) just fine.

Here's what I try to deploy:

Here's the rule close up:

And here's the rule when it works just fine:

For clarity, here's my Alias

Note that this Alias references other aliases, but any other alias it does reference is just a list of IPs. There's no alias referencing aliases referencing aliases, even though I can't see why that'd matter.

So when I try to deploy the rule using ! Allowed_DNS this is what ends up being created in /tmp/rules.debug

# NAT Inbound Redirects
rdr on vtnet1 proto { tcp udp } from any to ! $Allowed_DNS port 53 -> 192.168.0.6
no nat on vtnet1 proto { tcp udp } from (vtnet1) to 192.168.0.6 port port

Notice the port port there at the end of the second line? That is obviously the cause of the error. If I remove ! Allowed_DNS and replace it with !LAN Address this is the config that's created:

# NAT Inbound Redirects
rdr on vtnet1 proto { tcp udp } from any to !192.168.0.1 port 53 -> 192.168.0.6
no nat on vtnet1 proto { tcp udp } from (vtnet1) to 192.168.0.6 port 53

It now says port 53, as it should.

I don't know if it's any use, but this is the error pfSense gives me when I try to deploy the ! Allowed_DNS version:

There were error(s) loading the rules: /tmp/rules.debug:147: syntax error - The line in question reads [147]: no nat on vtnet1 proto { tcp udp } from (vtnet1) to 192.168.0.6 port port
@ 2019-11-13 21:30:22

Finally, here's (a tiny bit sanitised) details of my pfSense box:

Name 	<removed>
User 	admin@192.168.0.120 (Local Database)
System 	pfSense
Netgate Device ID: <removed>	
BIOS 	Vendor: SeaBIOS
Version: rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org
Release Date: Tue Apr 1 2014
Version 	2.4.4-RELEASE-p3 (amd64)
built on Wed May 15 18:53:44 EDT 2019
FreeBSD 11.2-RELEASE-p10

The system is on the latest version.
Version information updated at Wed Nov 13 20:20:37 NZDT 2019  
CPU Type 	Intel(R) Core(TM) i5-5250U CPU @ 1.60GHz
2 CPUs: 1 package(s) x 2 core(s)
AES-NI CPU Crypto: Yes (active)
Hardware crypto 	AES-CBC,AES-XTS,AES-GCM,AES-ICM
Kernel PTI 	Disabled
Uptime 	22 Days 15 Hours 44 Minutes 43 Seconds

Can anyone give me some pointers? What am I doing wrong that's causing the odd "port port" at the end of the line?

Thanks!
Tim

Note: Dear Askimet I promise this is not a spam post!

A Former User · Nov 15, 2019, 1:19 AM

I'm thinking I should log a bug about this - the fact I can do something in the GUI that generates a faulty rules.debug makes me thing it's redmine worthy.

I am, however, also aware that Redmine is not for technical support.

What do people think, is this

a) A valid bug
b) User error

?

Thanks!
Tim

raab · Feb 9, 2020, 9:38 AM

@muppet said in Error Loading Rules - Only when using an Alias in NAT rule:

here

I've created a bug report for it

I'm getting the same in 2.4.4 p3 and 2.4.5-RC, trying to do the same as you with redirecting DNS