It turns out UDP only seems to work in Pure NAT mode with the 'Enable automatic outbound NAT for Reflection' option in the advanced firewall settings is checked. If I use NAT + Proxy then the firewall stops accepting all LAN outgoing (or to the firewall connections including ping) when connections are initated from the LAN to the external IP on that UDP port. The firewall is able to connect to LAN systems during that time though which is odd. As soon as I reboot the firewall the LAN works again. The firewall console works just fine during all this time.
Didn't work
Pure NAT reflection (Enable automatic outbound NAT for Reflection = UNCHECKED):
LAN udp l.a.n.70:23098 (w.a.n.54:23098) <- l.a.n.70:44428 NO_TRAFFIC:SINGLE
LAN udp l.a.n.70:44428 -> l.a.n.70:23098 SINGLE:NO_TRAFFIC
–------------------------
Worked:
Pure NAT reflection (Enable automatic outbound NAT for Reflection = CHECKED):
LAN udp l.a.n.70:23098 (w.a.n.54:23098) <- l.a.n.70:59853 MULTIPLE:MULTIPLE
LAN udp l.a.n:33208 (l.a.n.70:59853) -> l.a.n.70:23098 MULTIPLE:MULTIPLE
Firewall stops passing incoming connections from the LAN. Can't ping firewall LAN IP, DNS fails, etc. Connections from the firewall itself to the lan (SSH to a lan server worked):
NAT + Proxy (Enable automatic outbound NAT for Reflection = CHECKED):
Didn't test this time but this is the scenario that caused the same issues above the last time I tested.
NAT + Proxy (Enable automatic outbound NAT for Reflection = UNCHECKED):
I am using rtl drivers so maybe this is just triggering some other hardware or rtl driver issue. With these results it seems the firewall should only allow Pure NAT with UDP because if something connects to the external IP on the UDP port it can cause traffic incoming from LAN clients to stop working completely. The text description in the Advanced firewal settings mentions that NAT + proxy works for UDP. At a minimum maybe that should be changed.
NAT Reflection mode for port forwards :
When enabled, this automatically creates additional NAT redirect rules for access to port forwards on your external IP addresses from within your internal networks.
The NAT + proxy mode uses a helper program to send packets to the target of the port forward. It is useful in setups where the interface and/or gateway IP used for communication with the target cannot be accurately determined at the time the rules are loaded. Reflection rules are not created for ranges larger than 500 ports and will not be used for more than 1000 ports total between all port forwards. Only TCP and UDP protocols are supported.
The pure NAT mode uses a set of NAT rules to direct packets to the target of the port forward. It has better scalability, but it must be possible to accurately determine the interface and gateway IP used for communication with the target at the time the rules are loaded. There are no inherent limits to the number of ports other than the limits of the protocols. All protocols available for port forwards are supported.
Individual rules may be configured to override this system setting on a per-rule basis.
I am running the latest build during these tests…
2.2-BETA (i386)
built on Mon Oct 13 18:40:19 CDT 2014
FreeBSD 10.1-RC2
Hardware is an Axiomtek NA-0043A which I have been using for about 2 years on pfsense using the Realtek 8100C chipset with 1GB of ram.