User rights - Edit NAT - No interfaces in list to choose from
I have a probably very simple problem. I need my users to self-administrate their Netgate SG3100 to a certain extend, which includes creating a NAT on the WAN interface. The user inherits his rights from a group, which grants the access to NAT: Port Forward. In detail:
- WebCfg - Firewall: NAT: Port Forward
- WebCfg - Firewall: NAT: Port Forward: Edit
In addition, the following privileges are also assigned:
- WebCfg - Dashboard (all)
- WebCfg - Diagnostics: ARP Table
- WebCfg - Diagnostics: DNS Lookup
- WebCfg - Diagnostics: Ping
- WebCfg - Diagnostics: Reboot System
- WebCfg - Diagnostics: System Activity
- WebCfg - Diagnostics: Test Port
- WebCfg - Services: DHCP Server
- WebCfg - Services: DHCP Server: Edit static mapping
- WebCfg - Services: DNS Forwarder
- WebCfg - Services: DNS Forwarder: Edit Domain Override
- WebCfg - Services: DNS Forwarder: Edit host
- WebCfg - Status: DHCP leases
- WebCfg - System: User Password Manager
Everything works fine except the Port Forwarding, as the user can't choose an interface because the list is empty. I also tried to fix this issue by assigning first only the 'Interfaces: WAN' privilege, later all privileges of the interfaces category. Sadly, I had no success with that.
The hardware is a Netgate SG3100 with pfSense v.2.4.4-RELEASE-p3 (arm).
Thank you in advance!
Gertjan last edited by
To be able to list all interfaces, the user should have access to Firewall > Rules page.
I had to look it up in the master manual : the scripts.
and the interfaces show up on the NAT :: Add or Edit page(s).
This means the user has access to the firewall rules, maybe something you do not really want ...
You're right, firewall access is not ideal in this case. But it's necessary for us to let people manage their port forwarding rules, so this is a preliminary solution we can live with. I hope they change this behaviour in a future release.