NAT Port forward LAN routing problem
-
Hello.
We have an issue with NAT. We've added a port forward from WAN to a specific host. However, when we try to access this host from our LAN, the returning packages from this host gets blocked. When we try to trace the route, we see that the returning packages go through the pfSense router, but the incoming packages to the host goes directly to the host.
We've tried enabling the option to bypass firewall rules for traffic on the same interface. We've added rules that should allow all traffic from the NAT'ed host to LAN, and revers. We've added these rules under LAN and floating. Nothing helps.
We are able to access the host through the router (with our external FQDN), and if we are on our LAN but enable VPN, we get access.
But internally from LAN to the host's IP address, the returning packages get blocked.This is an example log post:
' Aug 17 13:37:28 LAN 192.168.x.xxx:22 192.168.x.yyy:47568 TCP:SA'
-
Why would you returning traffic go to pfsense if your on the same lan? Do you have a mask issue?
Traffic on the same lan would never go to your gateway. The only reason it would if the box thinks the IP talking to it is not on the same network as it, then yeah it would send it to its gateway.
-
Ya we finally found it, it wasn't in pfSense. The host with the port forward had a /32 subnet set in its own settings.
Human error :) It just looked too much like other NAT issues that originate from pfSense for us to blame pfSense.
Admins, should I delete this post? -
why should you delete it? The next poor schmuck might have done the same thing.. Prob will try and file a bug report for pfsense ;) You would think there was a million dollar reward or something for finding bugs in pfsense with how many times its mentioned, is this a bug in pfsense ;)
Nice to see you didn't mention "bug" hehehe
