03-24-2016 12:25 PM
Well, this is ridiculous. After playing with NAT rules again, I'm right back to the same error. This doesn't invoke confidence that I have to reboot in order to clear this error.
03-24-2016 12:38 PM
Can you recall the steps you went through to reproduce the issue?
Also can you send the output of
sudo iptables-save -c -t nat
and the output of:
configure show service nat exit
03-24-2016 01:09 PM
So I've already rebooted to flush it out. With regards to the iptables-save, the NAT rule didn't show up there after the issue occurred.
For the steps, I don't have good ones for you. I was (rapidly) jumping between sNAT and dNAT and a few times the WAN_IN firewall ruleset as well as port forwarding rules, which have auto-firewall rules enabled.
I'm trying to get NAT working pointing to a load balancer where the return traffic will come from one or two IPs, and I don't really quite get how to do it properly, so there's that.
03-24-2016 01:42 PM
Are you trying to do multiple changes at the same time (start to modify dnat, then add snat and save, then go back and save snat).
07-24-2016 08:17 AM
I ran into this same issue today also. What I did was created all my NAT rules hitting save after each new NAT rule I created. Then I went to reorder my DNATs as they were not in the order I wanted them. Then I hit save rule order and got this error. Afterwards I tried to move just one rule at a time, but at this point the error would keep popping up. Lastly I found that I selected TCP only when I needed TCP/UDP and still got this error. I google this error and ran across this post. I did a reboot also and the issue went away.
08-01-2016 07:53 AM
Same problem on 1.8.5
Looks like a validation problem in CLI (not tested in gui)
- Create a nat rule, ie:
set service nat rule 100 type destination
set service nat rule 100 description LAB
set service nat rule 100 destination port 1234
set service nat rule 100 inbound-interface eth0
set service nat rule 100 inside-address address 10.10.10.10
set service nat rule 100 inside-address port 1234
set service nat rule 100 log enable
set service nat rule 100 protocol tcp
set service nat rule 100 source group address-group hostIPv4_test
- Delete the previous nat rule
delete service nat rule 100
- and create a new one, in error (no type here), ie:
set service nat rule 101 description LAB
set service nat rule 101 destination port 1234
set service nat rule 101 inbound-interface eth0
set service nat rule 101 inside-address address 10.10.10.10
set service nat rule 101 inside-address port 1234
set service nat rule 101 log enable
set service nat rule 101 protocol tcp
set service nat rule 101 source group address-group hostIPv4_test
- CLI warn about missing type: NAT configuration error: rule type not specified/valid
- Correct the error
set service nat rule 101 type destination
iptables: Index of deletion too big.
The error came in point 5, despite valiation problem, rule 100 was deleted from iptables, but not from config
08-01-2016 11:40 AM
@fenrir thank you for the specific steps to reproduce the issue. Following your steps I was able to reproduce the issue and can now start looking into it.
10-18-2018 03:24 AM
I faced the same issue in v1.10.7. I wanted to debug on my network so I enabled logging for my only DNAT rule.
When I fixed the issue (real client not listening anymore on the translated port -_-), I couldn't disable logging for this rule (Alert:iptables: Index of deletion too big.).
Rebooting router allowed me to disable logging, but the issue seems not to be fixed.