Need Help with NAT reflection

Itay1787

@viragomann Ok, I will try to explain it in more detail.

I have a VPS server on which there is an OpenVPN server with which it connects to pfsense via OpenVPN
On this server, it is set that all the traffic that I forward to the IP of the client of the pfsense (10.9.0.2)
will go to the external address of the VPS (I have 2) one is dedicated to doing a simple 1:1 to the address (of the NAT OpenVPN - 10.9.0.2) of the pfsense.

Then when I port forward in pfsense, it forwards the external address of the VPS through the VPN that pfsense is connected to.

I Hope everything is clear by now.

My problem is that when I added the new ISP and set it as the default network all the ports I forward that I could access when I am still inside my network. I can't anymore. And I don't understand why.
Something with NAT is completely screwed up. And no matter what rules I try (also any any for each side) does not help.

viragomann

@Itay1787 said in Need Help with NAT reflection:

My problem is that when I added the new ISP and set it as the default network all the ports I forward that I could access when I am still inside my network.

So how do you access these services? I assume, by their public host names? So did you create host overrides for them in the local DNS? If not, why?

Itay1787

@viragomann Yes, I access them through their public host names.
Most of them are already in host overrides but I have a few that I don't want to on the host overrides because this how I check their access outside the network because it goes through a VPN so if I can access them then the whole VPN works...

viragomann

@Itay1787
You would get a more reliable outcome, when using any other device in the internet to check that function.

Anyway, it should be possibly, I think, but not clear, what the dual WAN setup has changed if it worked before.

So to recap, you try to access a public host name, which is resolved to the public VPS IP.
The vps and your location are connected with a site-2-site OpenVPN.

How did you configure the gateway group?
What is the default gateway?
Do both ISPs work, when the respectively other one is down?

Itay1787

@viragomann
What do you mean, how did I configure the gateway group?
I changed from my previous ISP to the new one and set it as Tier 1 and the additional ISP I have is set as Tier 2 the Trigger Level is set to "Packet Loss or High Latency"

The default Gateway is set to the Gateway group I configured
In all the first rules on all interfaces (the rules that give an internet network to the interface) a default is set.
Currently, both ISPs are active.

viragomann

@Itay1787
I'm wondering, where NAT reflection comes into play here. Without a NAT rule, there would be no NAT reflection at all. And apart from the one on the VPN interface, and this would only have any affect if you map the requested host name to the VPN clients IP.

Anyway I think, this could only work with a masquerading rule (outbound NAT, S-NAT).
I'd add the rule to the VPN interface of the VPS. You can limit it to the source of your public IPs. This way, you will see the real source IP if the access is coming from any other address.

Itay1787

@viragomann hey, I tried to add this rule but it doesn't work. Did I do it correctly?

viragomann

@Itay1787
If this is on the VPS site and the alias in the source includes both of your public IP, then yes, I'd expect it to work.

It should translate the source address in packets to the server VPN address on matching traffic.
You can verify this with packet capture.

If it doesn't work ensure the the request packet is routed out on WAN properly.

Itay1787

@viragomann No, This is my Location the VPS is Debian Server the run OpenVPN server with iptable rule to do 1:1 on the NAT VPN.

The thing that I don't understand is why it works without any rules (except the port forward) on my previous ISPs and now it doesn't works with the new one

viragomann

@Itay1787 said in Need Help with NAT reflection:

No, This is my Location the VPS is Debian Server the run OpenVPN server with iptable rule to do 1:1 on the NAT VPN.

Maybe it also works if you do it on your site, but then you have to change the interface to that one, which is facing to the destination server of the port forwarding (e.g. LAN) and the translation to the respective interface address, but not sure.

The thing that I don't understand is why it works without any rules (except the port forward) on my previous ISPs and now it doesn't works with the new one

Possibly you have other NAT rule with reflection or your ISP router did reflection.

As mentioned above, I would use any other source, which is connected to the interface, to verify the routing. Routing traffic out to the internet and back in on another interface is a hack to me.

Itay1787

@viragomann said in Need Help with NAT reflection:

Possibly you have other NAT rule with reflection or your ISP router did reflection.

This is the weird thing, The ISP's connection was connected directly to pfsense so there was no other router present.
I know there are other ways to do what I want. But I want it to work. I feel like something is broken that it's not working.

And I have no idea what rule to put in NAT.
I tried everything as I said.
any in Destination and any in Source didn't help...

Itay1787

@viragomann Could it be that PPPoE has something to do with it?
It's just that the new ISP uses it

I also checked if the pfsense connects to the VPN through the other ISP and not the same ISP I connected through.
not working
I checked every possible NAT rule
does not help
The conclusion I came to:
As long as the client device tries to go to the public host names NOT through the new ISP it works (If I connect through a VPN the client - then I work, if I do policy routing - switching the gateway via pfsense to the client device that I will connect to the internet via the other ISP then it WORKING. )
Then I thought maybe the ISP blocks NAT reflection because maybe it detects it somehow...
But if I forward the ports through the new ISP directly
and activate NAT reflection it works too.... something very strange

I'm out of ideas as to how to fix it...

viragomann

@Itay1787
As I said, it's not fully clear to me, how this has worked before. Without knowing all your rules, that's hard to say.

A suspicion is still an asymmetric routing issue. To rule this out, enable the logging of the default deny rule, try to access your server, than check the firewall log for related blocks.

Itay1787

@viragomann Hi, I have new information.

After some tests
that I install pfsense on a VM to check if I connect to PPPoE through it and then do "CG-NAT" to the main pfsense to see if it will work.
And it works!!!!!! The only thing I changed in the main pfsense is in the gateway group that the interface from the virtual pfsense will be the main one and all traffic will go through it!

What it looks like is as long as the external IP address of the client trying to access is the same external address that is visible in pfsense then it just won't work.
Now I have no idea what rule and where I should put it to solve this problem. I have never encountered this problem in my life.
So I don't even know what to call it to google it