Use the specific IP for NAT IP in filter_generate_reflection_nat to prevent a condition with multiple subnets on the same interface where replies get sent to the wrong IP.

1 files changed, 20 insertions, 3 deletions

diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
index f9c443b..1e60595 100644
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -928,7 +928,7 @@ function filter_get_reflection_interfaces($natif = "") {
 }
 
 function filter_generate_reflection_nat($rule, &$route_table, $nat_ifs, $protocol, $target, $target_ip, $target_subnet = "") {
-	global $config;
+	global $config, $FilterIflist;
 
 	if(!isset($config['system']['enablenatreflectionhelper']))
 		return "";
@@ -968,8 +968,25 @@ function filter_generate_reflection_nat($rule, &$route_table, $nat_ifs, $protoco
 			$subnet_split = explode("/", $subnet);
 			$subnet_if = $fields[6];
 			if(in_array($subnet_if, $nat_ifs) && check_subnets_overlap($target_ip, $target_subnet, $subnet_split[0], $subnet_split[1])) {
-				$natrules .= "no nat on {$subnet_if}{$protocol_text} from {$subnet_if} to {$target}\n";
-				$natrules .= "nat on {$subnet_if}{$protocol_text} from {$subnet} to {$target} -> {$subnet_if}{$static_port}\n";
+				$ifsubnet_ip = "";
+				foreach ($FilterIflist as $ifent => $ifname) {
+					if(ip_in_subnet($ifname['ip'], $subnet) && $ifname['if'] == $subnet_if) {
+						$ifsubnet_ip = $ifname['ip'];
+						break;
+					}
+				}
+				if(empty($ifsubnet_ip)) {
+					foreach(get_configured_ip_aliases_list() as $subnet_ip => $ifent) {
+						if(ip_in_subnet($subnet_ip, $subnet) && $FilterIflist[$ifent]['if'] == $subnet_if) {
+							$ifsubnet_ip = $subnet_ip;
+							break;
+						}
+					}
+				}
+				if(!empty($ifsubnet_ip)) {
+					$natrules .= "no nat on {$subnet_if}{$protocol_text} from {$subnet_if} to {$target}\n";
+					$natrules .= "nat on {$subnet_if}{$protocol_text} from {$subnet} to {$target} -> {$ifsubnet_ip}{$static_port}\n";
+				}
 			}
 		}
 	}