NAT redirect rules don't respect interface selection and instead rely solely on source address #7952
Open
2 tasks done
Labels
support
Community support
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug
I have a couple of internet NAT redirect rules, specifically to enforce my pihole DNS for my IOT devices, since Google Homes hardcode google DNS. I noticed that despite only wanting to enforce it on the IOT network, it was being enforced on all networks, despite selecting interface as "IOT".
Turns out, this was due to the fact that source was set to "ANY". So it appears that NAT redirects, if source is ANY, completely ignore the set interface and matches all traffic with that rule. This has firewall implications because it can inadvertently allow certain devices on an interface to bypass a firewall rule on that interface due to the unintended redirect. It also makes it impossible to create a single redirect rule that applies to multiple interfaces without creating an interface group.
Tip: to validate your setup was working with the previous version, use opnsense-revert (https://docs.opnsense.org/manual/opnsense_tools.html#opnsense-revert)
To Reproduce
Steps to reproduce the behavior (note: using DNS redirect for ease of testing):
3a. Result: DNS still goes though
5a. Result: DNS blocked properly
Expected behavior
3a. Result: DNS blocked properly due to NAT redirect rule only applying to interface A
5a. Result: DNS blocked properly.
Describe alternatives you considered
Using interface net as the source, but as mentioned before, this is not ideal since it forces you to create interface groups.
Screenshots
NAT redirect rule for pihole:
Log live view RDR:
DMZ firewall rules. Second rule doesn't apply even though it should since the redirect shouldn't be redirecting DMZ network traffic:
Environment
Software version used and hardware type if relevant, e.g.:
OPNsense 24.7.5_3-amd64
The text was updated successfully, but these errors were encountered: