Upgraded to 2.0.2 - outbound NAT rule disappearing randomly
-
Hi,
We have two outbound NAT rules. One references the firewall public IP as the NAT address, the other references a IP alias on the public interface.
Randomly the outbound NAT referencing the IP alias will vanish from the WebGUI after working fine for a few days. The end result is the network range served by the NAT rule loose outbound access until the rule is re-added.
We are running manual outbound rule generation. Below are the two rules, it's the 2nd one that will completely be removed randomly.
This did not occur under 2.0.1 and many many months of the same config running fine.
WAN 192.168.xx.xx/24 * * * * * NO
WAN any * * * 74.xxx.yyy.zzz * NOSorry just realized this should probably be in the NAT forum and not here - can a mod move it?
-
I am running outbound NAT here as well and no issues as of yet.
Been running for 10 days right now without problems other than SNORT.
-
I am running outbound NAT here as well and no issues as of yet.
Been running for 10 days right now without problems other than SNORT.
Thanks, are you running pfBlocker by chance? That is the only package add on we have active.
-
Yes i do, and its running and blocking as it should.
Snort makes my last hair dissappear…. :D
I did a clean install, so no upgrade. Try that and see if it works better.
-
Go to Diag>Backup/restore, Config history tab. There you'll see what user and IP logged in and deleted your outbound NAT rule. :) Seriously, nothing in our code touches outbound NAT, and nothing at all related to that changed in 2.0.2. It's hard to believe how many times I've run into "X config just keeps disappearing and we aren't touching it, why is my firewall broken!!" with customers, when the config history proves some other person there kept logging in and deleting it.
Reinstalling would be a waste of time regardless.
-
@cmb:
Go to Diag>Backup/restore, Config history tab. There you'll see what user and IP logged in and deleted your outbound NAT rule. :) Seriously, nothing in our code touches outbound NAT, and nothing at all related to that changed in 2.0.2. It's hard to believe how many times I've run into "X config just keeps disappearing and we aren't touching it, why is my firewall broken!!" with customers, when the config history proves some other person there kept logging in and deleting it.
Reinstalling would be a waste of time regardless.
Actually it looks like this is only occurring on the backup system, and it's caused by the XMLRPC synch. On the master we have a 2nd NAT outbound rule that is set to not sync, but it seems like the sync is still wiping out the 2nd rule on the backup.
firing up a pair of 2.0.1 vm's with the same config and we dont get the problem.
Perhaps the "do not sync" rule is being ignored in 2.0.2?
-
Is "do not sync" checked on the rule for both master and slave?
Why do you have different NAT rules on the master and slave?
-
Is "do not sync" checked on the rule for both master and slave?
Why do you have different NAT rules on the master and slave?
Yes, "do not sync" is checked on the outbound rule on master and slave.
We are dealing with 2 public address spaces so each pfsense has a interface with a public IP in one of the public address spaces, and a IP alias in the 2nd public space.
For our legacy traffic to go out on the ip alias public ip's we have a 2nd NAT rule that specifies the IP alias as the NAT address. For this reason the master and slave each have a separate rule for this.
-
Did some more testing.
If NAT sync is turned on in XMLRPC Sync config the outbound NAT's are synced and any extra rules on the backup, even if the "do not sync" checkbox is set on it, is removed. If the "do not sync" is set on the master for a outbound rule that rule is not synced, but any additional rules not on the master are removed from the backup.
If I turn off NAT sync in the XMLRPC Sync config we dont get the outbound rules being wiped out on the backup. Obviously we loose the 1:1 and other NAT rules being synced as well.
In 2.0.2 perhaps the NAT sync is not evaluating the "do not sync" explicit rule on the backup before removing rules?