New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
no translation address with matching address family found. #2841
Comments
Are you sure this is correct? traffic from pppoe0 is natted over pppoe0 ? what is the corresponding GUI outbound rule? Also, it is probably a reboot issue. pppoe0 should have an IP address later and the message should no longer appear. Is that correct? PS: Probably related to #2837 |
I deleted ad recreated the rule. Now I get another alert, one about the rule that is now in line 53: opnsense: /usr/local/etc/rc.newwanipv6: New alert found: There were error(s) loading the rules: /tmp/rules.debug:53: no translation address with matching address family found. - The line in question reads [53]: nat on pppoe0 inet proto tcp from (pppoe0:network) to $freya -> pppoe0 port 1024:65535 # xxx |
The outbound rule is the one I posted in the other bug #2837 (comment) - it is probably wrong because I cannot select WAN for the NAT and have to use "Interface address", whatever that is. The NAT rule in example I is If=WAN, Proto=UDP, SrcAddress=*, SrcPorts=*, DstAddress=WAN address, DstPorts=VoIP(alias), NATIP=fon, NATPorts=VoIP(alias) |
Are you using the patch that @AdSchellevis wrote for you or is this a stock 18.7.x configuration? |
PS: WAN on from / to is not correct most likely. You want the translation target from WAN, but not what you translate as that is transit traffic from e.g. a LAN to the Internet. |
The patch only lets me select the special networks ("LAN networks") inside the source address. I don't think this is the problem, as I only use the 192.168.178.0/24 net atm so I just added this to the rule. The patch still does not change the problem about being able to select another NAT target as in the automatic rule. |
You mean WAN is incorrect as "Translation / Target" and "Interface address" is actually correct? That may very well be the case, as it seems to work fine. However, the automatic rule shows "WAN": EDIT: compare the different entries under "NAT Address". |
No, incorrect as source / destination. source: #2841 (comment) Now your screenshot looks sane. |
The screenshot below shows the outbound NAT. The rules with with WAN as destination, which are the rules this issue is about, are port-forwarding rules: Not sure if issue #2837 is connected to this, if the "NAT address"="Interface address" there is actutally fine. |
I'm unsure how to help you as I'm not able to follow. What's not working as expected? |
Sorry, I guess we got side-tracked after you mentioned issue #2837 in your first comment. This issue is about the "no translation address with matching address family found" alert I get. The error seems to be directly related to the port-forwarding rules, not the outbound rules. Below you will find all rules related to the Nextcloud forwarding rule shown in the screenshot above: rdr on pppoe0 inet proto tcp from {any} to {(pppoe0)} port $WWW -> $freya # Nextcloud access I got a similar set of rules for the VoIP forwarding. The alert is shown only for Nextcloud or VoIP, depending on which comes first. It happens on boot (see initial post) or when renewing IP (see my first follow up). I have not seen these errors before yesterday's update to 18.7.6 and also have not noticed a loss of functionality since. Still I would like to get rid of the alert. |
I have the same issue, it seems to always be the first rule in the list. Had it since 18.7.something and it's still in 19.1. Everything works, just outputs this on every reboot. |
FWIW I also still get this after a reboot but also after the WAN connection is lost and reconnects. |
Still happening? |
Haven't tested 19.1.5, but it's still present in 19.1.4_1 |
Yes, still happens with 19.1.5 https://forum.opnsense.org/index.php?topic=12412 |
@AdSchellevis can we avoid writing rules with targets that have empty addresses in the respective family (probably only relevant for IPv4)? Feel free to take this, you'd know better why and how. |
@fichtner I thought we already had something like that, but looking at the issue again, I'm doubting. I'll look into it |
…ix for #2841 This might have side affects, stupid thing is that in some situations :network doesn't appear to yield this error (e.g. openvpn:network), although I'm also not 100% it does work when not raising any errors. Now we validate if there's a matching address for the ip protocol requested, otherwise it will disable the rule (and log in the /tmp/rules.debug file about it)
reverted 971df3c , the issue looks related to the nat reflection rules (which should already check for an address of the requested protocol family). core/src/opnsense/mvc/app/library/OPNsense/Firewall/DNatRule.php Lines 129 to 148 in 50e323d
core/src/opnsense/mvc/app/library/OPNsense/Firewall/ForwardRule.php Lines 142 to 171 in d8f23d5
Can anyone with the issue try to disable "Automatic outbound NAT for Reflection" in Firewall->Advanced and test again? As far as I can see that's these are the only areas in the code generating a rule with as target an interface. |
No message after a reboot with that option OFF. I don't remember why I set it in the first place but I will probably find out sooner or later... |
I've disabled it on mine and will see how it goes |
@Taomyn any results to share? :) |
I haven't seen the message since and so far no ill-effects. |
@AdSchellevis do we need another safeguard or close as is? |
close, as far as I know, we can't solve this from user space |
I still see it on 19.1.7. But, I didn't disable automatic rules. Don't know what they do so maybe I break something (yes, lack of documentation on my part). I'm sure I put them there for a reason some time back in the days. |
…ix for opnsense#2841 This might have side affects, stupid thing is that in some situations :network doesn't appear to yield this error (e.g. openvpn:network), although I'm also not 100% it does work when not raising any errors. Now we validate if there's a matching address for the ip protocol requested, otherwise it will disable the rule (and log in the /tmp/rules.debug file about it)
…found" fix for opnsense#2841" This reverts commit 971df3c.
…ix for opnsense#2841 This might have side affects, stupid thing is that in some situations :network doesn't appear to yield this error (e.g. openvpn:network), although I'm also not 100% it does work when not raising any errors. Now we validate if there's a matching address for the ip protocol requested, otherwise it will disable the rule (and log in the /tmp/rules.debug file about it)
…found" fix for opnsense#2841" This reverts commit 971df3c.
If anyone's interested, this still occurs in 20.7 when automatic rules are enabled. |
Yeah, same here. Annoying actually. :/ |
… family found." (#2841). It seems that our nat/interface targets mis braces, which requires addresses to be available on load.
Sorry, I can't find the proper line. This is what I've got:
|
Just run this...
|
Done, now let's wait and see. |
Same here. When I logged in I had 5 of those messages pending. Is there any way to see those in their entirety without copying and pasting them somewhere else? That's what I had to do to see that they were from two days ago - May 2. |
There's nothing more than these messages. You have NAT rules that require a target address, but it is not available while the rules are reloading for "reasons" in your network. Try the patch to see if it works. |
@fichtner Good news! The fix seems to work! :D Please add it in the next maintenance release. Thanks! |
@fichtner I did load the patch (hence "same here") and I understand what the messages say (though it's still beyond me why they're appearing - I see no "reasons" since the target addresses are there). My question is how one might read the entire messages instead of just the tail end of them. When the date/time stamp is somewhere off to the left where I can't see it, it's difficult to judge how often they appear. Since the previous ones were two days old, I'm not yet certain that I won't see more, given that only one day has elapsed since the patch was applied. I'll check back again. |
Sorry, I don't understand what that means to me. But I thought I'd stop in to let you know that I still have no further messages popping up today. I guess the fix worked. |
We won't add this in the next maintenance release without a proper testing iteration on the development version. So maybe 20.1.8, maybe later. |
After updating to 18.7.6 I get the followin alert:
opnsense: /usr/local/etc/rc.bootup: New alert found: There were error(s) loading the rules: /tmp/rules.debug:53: no translation address with matching address family found. - The line in question reads [53]: nat on pppoe0 inet proto udp from (pppoe0:network) to $fon -> pppoe0 port 1024:65535 # Fritz!Box VoIP
The text was updated successfully, but these errors were encountered: