Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Simple NAT not working

    Scheduled Pinned Locked Moved NAT
    9 Posts 3 Posters 879 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      peterlecki
      last edited by

      I have a number of NAT rules that work fine. I set up a new one for testing, duplicating one existing rule that works but the new test is not working.

      log1.png

      nat1.png

      rules1.png

      Port 5081 answers on the LAN so it's a valid service but it gets blocked on WAN NAT

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @peterlecki
        last edited by

        @peterlecki Is the 172.91.x.x address in the source alias? Getting to the default deny rule means it's not matching another rule...

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        P 1 Reply Last reply Reply Quote 0
        • P
          peterlecki @SteveITS
          last edited by

          @steveits

          Yes, 172.91 is the source.
          I am aware that "default" is when it hits no other rules. Hence why I'm confused about it right now. I even attempted to create an easy rule from the log but it still gets default deny.

          Before the rule:
          log2a.png

          Rule created as a troubleshooting step:
          rule2.png

          Still get default deny:
          log2b.png

          S 1 Reply Last reply Reply Quote 0
          • S
            SteveITS Galactic Empire @peterlecki
            last edited by

            @peterlecki Try a filter reload?

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            A P 2 Replies Last reply Reply Quote 1
            • A
              akuma1x @SteveITS
              last edited by akuma1x

              @steveits Sorry, I'm coming into this a little bit late. You say that you "duplicated one existing rule", so I'm wondering if you made the necessary tweaks to the dup'ed NAT rules. When you make a NAT rule, you can choose to auto-create a corresponding firewall rule. Did you check to make sure that happened correctly?

              You don't specifically show a screenshot of your NAT rules, but are they pointing to the correct WAN firewall allow rules? You say you duplicated the other rules, maybe they are pointing to the first "NAT EDI" WAN firewall rule?

              There's a drop down menu, on each NAT rule, down near the bottom, called "Filter rule association", where you pick what happens in the firewall rule section. If you pick "create new associated filter rule" when making a new NAT rule, it will auto make a firewall rule. Since you already have the firewall rules created (per your screenshot), you can pick them in the appropriate NAT rules. That should get NAT traffic moving, like expected.

              P 1 Reply Last reply Reply Quote 0
              • P
                peterlecki @akuma1x
                last edited by

                @akuma1x
                By "duplicated" I meant created it. New NAT created its own new rule.

                rule3.png

                nat3.png

                1 Reply Last reply Reply Quote 0
                • P
                  peterlecki @SteveITS
                  last edited by

                  @steveits
                  Tried filter reload and noticed an error at the end and it never completing:

                  There were error(s) loading the rules: /tmp/rules.debug:25: cannot define table pfB_Asia_v4: Cannot allocate memory - The line in question reads [25]: table <pfB_Asia_v4> persist file "/var/db/aliastables/pfB_Asia_v4.txt"

                  So I temporarily disabled pfBlocker and filter reload then completed and my new NAT started working. I then re-enabled pfBlocker and filter reload does not complete, my new NAT works.

                  I must now obviously research the pfBlocker issue.

                  S P 2 Replies Last reply Reply Quote 0
                  • S
                    SteveITS Galactic Empire @peterlecki
                    last edited by

                    @peterlecki ensure “Firewall Maximum Table Entries” in system/advanced/firewall&NAT is set to a minimum of 2 million.increase if necessary.

                    Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                    When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                    Upvote 👍 helpful posts!

                    1 Reply Last reply Reply Quote 0
                    • P
                      peterlecki @peterlecki
                      last edited by

                      System>Advanced>Firewall & NAT
                      Firewall Maximum Table Entries=10000000
                      Firewall Maximum States=300000
                      pfBlocker no longer preventing completion of Filter Reload

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.