PfSense changes subnet in the nat rules!!
-
Hello to all,
it seems to be a serious problem in Pfsense 2.5.1 (but I also noticed this in previous versions). When I change the protocol from TCP / UDP to TCP, or from TCP to TCP / UDP in a NAT rule, Pfsense changes in all rules with those protocols, in the destination address, from single host, to network with / 31 subnet.
These obviously caused us a lot of connection problems.
But something that was awful to see, the subnet network doesn't show up in the nat list rules, but you can only see it in the rule.
Has anyone there had this problem? -
Does it still happen in 2.5.2? (The current version)
No, I have never seen that. Do you have exact steps to replicate?
Do you see the changes shown in the config history?
Steve
-
@stephenw10 In the configuration history I can't see anything strange, there are only the changes I have made. I don't know if it will happen with 2.5.2, we currently have 2.5.1, but the same problems I had with the version prior to 2.5.1. I try to backup and restore the configuration in a pfsense lab. This firewall manages an entire datacenter, I don't want to have any more problems with my virtual machines
-
@gianluca-0 said in PfSense changes subnet in the nat rules!!:
In the configuration history I can't see anything strange, there are only the changes I have made.
So where are you seeing these rogue changes happen?
Try to spin up a 2.5.2 VM and replicate it there if you can.
Steve
-
@stephenw10 It all started when I changed some Nat rules which have TCP / UDP protocols with TCP. Pfsense changed all other rules with TCP / UDP from single host in destination address to network with subnet / 31. When I have some time I will install a VM with Pfsense version 2.5.2 and restore my configuration and try to replicate the problems.
-
What I mean is did you see those changes to all the other rules reflected in the config diffs. Or could it be a display issue?
And you saw this on other NAT rules? I assume port forwards? Or the associated firewall rules?Steve
-
This makes no sense at all.. And sure can not duplicate the problem in 2.5.2 per how I am understanding what your saying the problem is.
I created 3 test rules all using tcp/udp.. You can see the gui rules, and what the actual rules are. I then changed one of those rules to tcp only.. All looks normal to me..
Am I not understanding what your problem is - screenshots showing exactly what your saying the problem is would be most helpful.
-
@stephenw10 I haven't checked yet inside the diffs configuration, but I presume that inside I can see the changes. And yes, the issue is reflected in other Nat rules not connected with that I changed.
-
@johnpoz you did this in a clean install, we are using the same setup we started about 5 years ago.
-
@johnpoz try to see inside the rules in network, and look if it has been changed to /31. In the list of Nat Rules is not always showing the subnet changed.
-
Mmm, I can't replicate it either.
That is what you're doing though? On your system making that change to one port forward changed all of them and set the destination to /31?
-
@stephenw10 in all rules that have TCP/UDP, Pfsense change only the destination network subnet to /31, I repeat, previously configured has singles host, to network address /31.
-
If it's actually set to a /31 subnet it will show as that there:
Are you sure this is not your browser auto-fill setting some fields when you edit the rule?
-
@gianluca-0 said in PfSense changes subnet in the nat rules!!:
try to see inside the rules in network
Those are the wan rules.. Here our the nat rules
Yes this is a clean install of 2.5.2.. Sorry don't have a 5 year old test setup that I have kept updating over the years ;) heheh
-
@stephenw10 yes :) I'm sure..I understand what you're meaning. And autofill can not change from single host to network address and also change subnet to /31 (I think).
-
anyway, I need some time to build a new Pfsense virtual machine and restore my configuration, so see what happened. Pfsense is not owned by us, we have a manager user but we cannot log in with ssh for example.
-
There is something slightly odd there in 2.5.2/21.05.1. If you set the destination as network the list of subnet sizes includes /32 and also /31 twice!
However selecting them doesn't seen to cause a problem. And it's fixed in 2.6/21.09.
Steve
-
@stephenw10 but that Nat rules are single hosts, so / 32 is implied.
-
Exactly. If you set /32 there it just goes back to single host. It should not appear in that list as a 'network' but selecting it does no harm.
Steve
-
@stephenw10 said in PfSense changes subnet in the nat rules!!:
If you set the destination as network the list of subnet sizes includes /32 and also /31 twice!
Where are you seeing this? Looking on nat and firewalls - I do not see that
Oh I see it on 21.05.1 but not my test 2.5.2 box..
But only in the nat, not firewall rules..