api call bug:

[ouyoung33]

Discussed in #531

^{Originally posted by ouyoung33 August 5, 2024}
api call bug: When I manually create dnat,Nat will default "filter rule association" to "rule nat" to implement forwarding and connect to my internal machine; But when I create a dnat rule using the api, the "filter rule association" is "pass" but no forwarding is actually implemented, and I can't connect to my internal machine through dnat

[lechuhuuha]

Hi
this question has been asked and its in this issues #275

its has been implemented in the branch minor_patch

you can follow the issues above
thanks

[ouyoung33]

Hello, the scenario we are using now is as follows: using zerotrust to give the user portal access to the server, the api will be called before accessing the server to create a rule with a validity period; Our implementation is based on v1. At present, more users rely on this scheme. During operation and maintenance, there is no way to manually change the port-forward rule through the GUI
Therefore, I would like to ask if this requirement /Bug can be modified in v1, and when will the version be released? Or whether other command lines can be used to change the port forward

[lechuhuuha]

Hello, the scenario we are using now is as follows: using zerotrust to give the user portal access to the server, the api will be called before accessing the server to create a rule with a validity period; Our implementation is based on v1. At present, more users rely on this scheme. During operation and maintenance, there is no way to manually change the port-forward rule through the GUI Therefore, I would like to ask if this requirement /Bug can be modified in v1, and when will the version be released? Or whether other command lines can be used to change the port forward

Hi thanks for the reply
But the version we talking about that support create rule with port forward will not be release soon

You need to fork your own version of pfsense api implement its then install its on a freebsd vps
There is a doc for install your own version of pfsense api
https://pfrest.org/CONTRIBUTING/#building-the-package-from-source

Best regards.

[ouyoung33]

In which branch can we provide the code to fix this function? Is it v1 or v2

[jaredhendrickson13]

Just so I know we're on the same page here, for the filter rule association there are 3 types that behave slightly differently:

• Associated: Creates a new firewall rule objects automatically based off the criteria defined in the port forward rule to pass matching traffic. As @lechuhuuha mentioned, the ability to add an associated firewall rule is implemented in the next_minor branch and will be available in v2.1.0 which should be released later this month. This only applies to v2 however.
• Unassociated (none): Traffic matching the port forward is not automatically passed and you must create the firewall rule to pass the traffic yourself. This is already present in v2, but not v1.
• Pass: Traffic matching the port forward is automatically passed without the need for a separate firewall rule. This is available in v2 and is the only supported option for v1. This should be sufficient in most cases unless you have a multi-WAN setup.

For v1, the associated rule feature will not be implemented as v1 is missing the object relation mechanisms necessary and would require a good amount of custom logic to implement properly. However, I am open to allowing v1 to use an unassociated rule for multi-WAN setups if that is sufficient for you.

[ouyoung33]

Thank you for your reply. We have another situation:when the rule is first set, the default is pass, which is not connected to our server at that time, and wait for a night and the next day it can take effect and connect to our server

[jaredhendrickson13]

Are you making a POST request to /api/v1/firewall/apply after your rules/port forwards are set? They aren't applied on the backend immediately by default to prevent restarting services multiple times.

You can also double check that your rule has been applied afterwards by running cat /tmp/rules.debug from the command line. The port forwards utilizing pass will appear starting with rdr pass, you should see one matching the criteria set in your port forward.