Using Port-Aliases in NAT Rules
as I'm no native speaker, I may humbly apologize if sometimes my posts may sound a bit strange ;)
I'm used to building firewall systems on OpenBSD now for about 5 years and so have gone through IPF rules and seen the beginning of PF with 3.0. I was curious as hell about a fork of m0n0 with PF onboard and - wow - you did great work alltogether. Intro be fine, I searched forums but didn't come across my problem.
As said I'm quite used to PF as I've seen it develop since its first show-up in OpenBSD 3.0. So I'm also a bit of a extreme-user when it comes to aliases, but that keeps my rules nice and fuzzy ;) Anyway, as I entered a few rules and NAT transitions into pfSense it worked like charme until I started using aliases for ports. A minor problem is the post-editing of aliases that have multiple ports in it. So if you create an alias for about 3 ports and switch the pulldown-menu to "Port(s)", the field for the bitmask is greyed out. Nice, but if you hit the "+" for more ports, the new row shows up with an enabled bitmask-field. So you create your alias with 3 ports, save it and have to edit it again, so you can choose the empty field entry in the bitmask field for the other 2 entries (second and third, the first is - as mentioned - saved correctly with disabled bitmask field, the others show sth. like 8080/32). So it would be either nice, if the "Port(s)" selection would also affect new rows, or if these new rows' bitmask selection had an empty field like it has, if you hit "edit" afterwards.
That being the minor problem, the bigger one is, that a NAT rule, created with only using aliases isn't handled correctly. So to speak, it's simply ignored. Why it does so isn't sure, but I tested a bit to ack this. First try was a NAT rule from a Port Alias "PortsVoIP" (consisting of only a single port number) to the WAN IFs adress NATted to the internal network Host Alias "ServVoIP" (a single IP adress) and again the Port Alias "PortsVoIP". This is an absolutely normal rule for my normal setup on OBSD, but won't run here. As I tested a bit it seems that the "Rules" part of pfSense isn't affected by that problem, both aliases work fine here (rule with activated logging worked fine). But my entered NAT rule wouldn't work until I changed both Port Aliases to the respective port number (I think it was 5060). Then after saving and reloading the filters via the webGUI, the rule worked as intended. When I edited it again and wrote "PortsVoIP" instead of simply 5060, it wouldn't work again - so it has to be the alias. Oh and it was auto-completed, so I don't think it was simply misspelled.
Would seem not much of a problem to many - but as said, I like creating rules based almost completely on aliases. In the past that saved me many hours, if a customer changed an IP or port in his network.
So long I hope this may help in getting this bug out for 1.0rel.
Please try http://pfsense.com/~sullrich/RELENG_1_SNAPSHOT_04-03-2006/ . Some of the issues should already be fixed. Please report back if problems are left with the latest snapshot.
I think the first bug (adding alias ports) has been fixed for a while - you didn't mention what version you ran. The second issue may be a previously unknown bug - can you make sure you're on the latest snapshot (http://www.pfsense.org/~sullrich) and try to replicate, then create a ticket on cvstrac.pfsense.org if it's still an issue? Thanks
Forgot to mention beta-2. But I've already downloaded the latest snap
and will test it tomorrow at first :)