| Summary: | firewall: NAT rules for RED are applied to IPsec tunnels | ||
|---|---|---|---|
| Product: | IPFire | Reporter: | Michael Tremer <michael.tremer> |
| Component: | --- | Assignee: | Stefan Schantl <stefan.schantl> |
| Status: | CLOSED FIXED | QA Contact: | Alexander Marx <alexander.marx> |
| Severity: | Crash | ||
| Priority: | Will only affect a few users | CC: | peter.mueller, stefan.schantl |
| Version: | 2 | ||
| Hardware: | unspecified | ||
| OS: | Unspecified | ||
| Bug Depends on: | |||
| Bug Blocks: | 12278 | ||
| Attachments: | Screenshot of the rule | ||
|
Description
Michael Tremer
2019-09-05 14:35:17 UTC
Can you please give me a detailed configuration of the rule? If i use SNAT i am only able to assign RED ORANGE or GREEN as Source address. Created attachment 705 [details]
Screenshot of the rule
Is this screenshot okay?
The particular problem here is that the SNAT rule will match when a packet is being sent from zeiterfassung01.haj.lightningwirelabs.com to a host on an IPsec network.
The NAT rule will apply and change the source IP address of the packet which should NOT happen for the VPN. Hence the packet cannot be routed properly and the connection is never being established.
Disabling the rule allows that the host can talk to all hosts on the VPN networks.
*** Bug 11937 has been marked as a duplicate of this bug. *** Patch has been sent to the development mailing list: https://patchwork.ipfire.org/patch/2799/ This will be shipped with Core Update 143 although the release notes do not mention it. https://blog.ipfire.org/post/ipfire-2-25-core-update-143-is-available-for-testing |