Issues with Server behind pfSense cluster + 1:1 NAT and virtual IP (IP Alias)
-
Hi all,
I am pretty sure, this scenario worked before the upgrade to pfSense 22.01, that's why I am asking whether something in the logic has changed or somthing is broken in 22.01.
My setup:
I am running a cluster consisting of 2 netgate pfsense physical appliances. HA sync and VRRP all works fine. Also captive portal after the patch has been applied.
I have multiple virtual interfaces (vlans), which all have VRRP virtual IPs. It all works fine as long as I use Hide NAT (NAT-Outbound-Manual Outbound NAT). All clients can connect from each LAN to internet services and traffic is flowing fast and stable as you would expect.
I have 1 vlan (also 1 vrrp ip address) as a kind of public IP transfer vlan: you can add a server there and all the services of that server are fully available in the internet - call it "full NAT".
For that case I have setup 6 1:1 NAT rules for 6 public IPs in order to enable 6 servers for this "full NAT scenario".My Problem:
I add a Windows computer to the vlan for "full NAT", give it the LAN IP 192.168.149.241/24 which according to the 1:1 NAT rules will be publically natted to xxx.yyy.149.241/26.
I can ping other public IP addresses like 8.8.8.8 and others as well as the LAN-IPs of my pfSense cluster (cluster vrrp ip as well as each LAN-interface of tboth cluster members).
When I open a webpage on that computer in order to get my public IP checked and displayed, the page loads e.g. 50% and then suddenly the traffic stops.
After that I can also not ping the custer vrrp ip and the physical lan interface of the cluster master pfSense. I still can pint the cluster backup lan interface. I also still can use other vlans for internet traffic. After 30-60 seconds suddenly the ping gets alive again without any changes. This is reproducable.I already checked all logiles I can access from the web gui of the pfsense, logfiles of the switches which are used without any error.
I also did some packet capture on the LAN-interface and on the wan interface of the master cluster member: I can see the ping requests and the browser requests during all the time on the lan interface. But on the wan interface there are no packets captured as long as the ping requests do not get replied any more.
Thats why I think it is related to 1:1 NAT.
It does not make any difference if I change NAT reflection on/off.
Does anybody have an idea how to investigate that further or even better know a solution?
Thanks a lot in advance!
Thomas
Btw: Limiters in firewall rules do currently not work for our 22.01 version, but that's a different story.
-
@thomas-hohm Correction: the virtual IPs of the cluster are of type CARP, not VRRP. The public virtual IPs are of type IP Alias.
Sorry for the mistakes. -
Update: after turning the whole infrastructure from left to right we found the solution.
It's the limiter bug that is already known. After removing the limiter from the firewall rule (it was a just one catch all rule for the whole NAT traffic), it works as before.
Which also means: the same setting worked perfectly fine before the upgrade.I am some much hoping for a soon fix of the limiters in an official update or release!