Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"WAN address" in port forwarding includes VIP addressess. #2457

Closed
MaartenJB opened this issue Jun 11, 2018 · 11 comments
Closed

"WAN address" in port forwarding includes VIP addressess. #2457

MaartenJB opened this issue Jun 11, 2018 · 11 comments
Labels
upstream Third party issue

Comments

@MaartenJB
Copy link

Hi,

If I use "WAN address" when creating a Port forward, it forwards the port on the "WAN address" AND all VIP's on that interface. If you want to only forward to the WAN IP you need to create an extra VIP alias containing the WAN IP.

Best regards,

Maarten

OPNsense 18.1.9-amd64
FreeBSD 11.1-RELEASE-p10
OpenSSL 1.0.2o 27 Mar 2018
@AdSchellevis
Copy link
Member

Could probably be fixed like d823cc7 "interface address" converts to "interface" now where it could be "interface:0".

@AdSchellevis AdSchellevis self-assigned this Jun 11, 2018
AdSchellevis added a commit that referenced this issue Jun 11, 2018
@AdSchellevis
change rule "interface address" parsing to use "interface:0" in stead…
2408d6a 
… of "interface", for #2457
@AdSchellevis
Copy link
Member

@fichtner we probably shouldn't add this in a minor release, there are some side affects people might not expect, such as:

  • Anti lockout rule not being applied to the VIPs
  • Current firewall rules to "Interface address" won't match on VIPs

What do you think?

@fichtner
Copy link
Member

Easy enough to apply via patch, let's keep this away from 18.1.x and make it the default again in 18.7 👍

@fichtner fichtner added the feature Adding new functionality label Jun 23, 2018
@fichtner fichtner added this to the 18.7 milestone Jun 23, 2018
AdSchellevis added a commit to OPNids/core that referenced this issue Jul 4, 2018
@AdSchellevis
change rule "interface address" parsing to use "interface:0" in stead…
d508804 
… of "interface", for opnsense/core#2457
fichtner added a commit that referenced this issue Jul 20, 2018
@fichtner
Revert "change rule "interface address" parsing to use "interface:0" …
fb9a58b 
…in stead of "interface", for #2457"

This reverts commit 2408d6a.

(cherry picked from commit b09363f)
fichtner added a commit that referenced this issue Jul 20, 2018
@fichtner
Revert "change rule "interface address" parsing to use "interface:0" …
b09363f 
…in stead of "interface", for #2457"

This reverts commit 2408d6a.
@fichtner fichtner modified the milestones: 18.7, 19.1 Jul 20, 2018
@fichtner
Copy link
Member

Decided to revert, need to solve this another way as :0 interferes with IPv6 connectivity.

@fichtner fichtner reopened this Jul 20, 2018
@fichtner fichtner modified the milestones: 19.1, 19.7 Dec 30, 2018
@andrewhotlab
Copy link

It would be very nice to have a fix to this: a customer of us just noticed this problem and asked for a solution. In the mean time, we trained them to always put the primary IP address of the WAN interface in the rule, but actually this might not be always feasible: for example, when the WAN is configured as PPPoE or DHCP client.

Thanks for your efforts!

@fichtner
Copy link
Member

fichtner commented Jul 1, 2019

@AdSchellevis keep or close?

@AdSchellevis
Copy link
Member

@fichtner let's close it, if at some point in time :0 starts working like it should, we can always reopen.

@fichtner fichtner removed the feature Adding new functionality label Jul 1, 2019
@fichtner fichtner removed this from the 19.7 milestone Jul 1, 2019
@fichtner fichtner added the upstream Third party issue label Jul 1, 2019
@MaartenJB
Copy link
Author

Why would you close an issue which is not fixed yet? Doesn't make sense to me.

@fichtner
Copy link
Member

fichtner commented Jul 1, 2019

There's no easy way out here and the first attempt to correct this was problematic within pf(4) code. Now not enough community feedback to work with. We close it according to our contribution rules.

https://github.com/opnsense/core/blob/master/CONTRIBUTING.md

@fichtner
Copy link
Member

fichtner commented Dec 1, 2021

The revert decision in question is about lax handling of :0 in IPv6. We did add a patch eventually via https://github.com/opnsense/changelog/blob/da9944d43c1fe4466cab2e624727b1ad5f256ca9/community/20.7/20.7.2#L43 but since there are possibilities for primary address to be link-local only on an IPv6 WAN the use of :0 will silently fail.

The best way is likely to add another shortcut that supports single GUA support as an alternative here and leave the existing one as is maybe minus a tweak of the current label.

@hatclub
Copy link

hatclub commented Sep 26, 2024
edited
Loading

Having just apparently trodden on this rake, could the incorrect wording of "WAN address" in the NAT rule builder at least be replaced with something clearly indicating "All IPs bound to WAN interface" (which, honestly, I do not think many people will see as the expected/desirable behaviour)?

We do not see this behaviour in another pf-based firewall, so I am interested in how this problem would be unresolvable for opnsense.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
upstream Third party issue
Milestone
No milestone
Development

No branches or pull requests
5 participants
@fichtner @hatclub @AdSchellevis @MaartenJB @andrewhotlab