Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Endpoint-independent Outbound NAT (eimnat) rules

    Scheduled Pinned Locked Moved Plus 25.11 Snapshots
    11 Posts 3 Posters 185 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      marcosm Netgate
      last edited by

      When testing the PS5 and Switch 2 I did not need to check "Static Port". To achieve NAT Type 2/B I only checked EIM-NAT and configured UPnP.

      luckman212L 2 Replies Last reply Reply Quote 0
      • luckman212L Online
        luckman212 LAYER 8 @marcosm
        last edited by

        @marcosm Thanks, I'm testing with 25.11.r.20251118.1708 now

        1 Reply Last reply Reply Quote 0
        • luckman212L Online
          luckman212 LAYER 8 @marcosm
          last edited by luckman212

          @marcosm Is UPnP still needed though? I thought part of the appeal of EIM NAT was that we didn't need UPnP...

          I enabled just eim, flushed my state table and ran a few online tests, but not sure it's working for me... all sites are reporting me as being behind a "Port Restricted Cone NAT"

          eg https://natchecker.com or https://whatsmynat.com

          d0ff601f-2ead-4000-82b6-9891ed9c8b6e-screenshot_wZ6bwauZ.png

          I also tested with some commandline tools I found, e.g. stunner and nat-detect

          With EIMNAT checkbox enabled

          $ nat-detect
   nat_type: PortRestrictedCone
public_addr: 70.18.xxx.xxx:26787

          Tested again without EIMNAT, and it reports symmetric:

          $ nat-detect
   nat_type: Symmetric
public_addr: 70.18.xxx.xxx:46689

          So it's definitely changing the behavior. Not sure if it should be possible to achieve FullCone however...

          1 Reply Last reply Reply Quote 1
          • Bob.DigB Offline
            Bob.Dig LAYER 8
            last edited by Bob.Dig

            I did the upgrade to the RC this morning, coming from 25.07.1. I then enabled Endpoint-independent Outbound NAT for my machine and pfSense crashed. And it crashed on every boot so I had to use the zfs-snapshot feature.

            Dump header from device: /dev/gpt/swap1
  Architecture: amd64
  Architecture Version: 4
  Dump Length: 381952
  Blocksize: 512
  Compression: none
  Dumptime: 2025-11-19 10:51:17 +0100
  Hostname: pfSense.internal
  Magic: FreeBSD Text Dump
  Version String: FreeBSD 16.0-CURRENT #33 plus-RELENG_25_11-n256497-084b5f7b7bcd: Tue Nov 18 17:18:00 UTC 2025
    root@pfsense-build-release-amd64-1.eng.atx.netgate.com:/var/jenkins/workspace/pfSense-Plus-s
  Panic String: page fault
  Dump Parity: 1574524171
  Bounds: 0
  Dump Status: good

            I saved the dumps if they are of interest.

            I will give 25.11 RC another chance without using this feature.

            luckman212L M 2 Replies Last reply Reply Quote 0
            • luckman212L Online
              luckman212 LAYER 8 @Bob.Dig
              last edited by

              @Bob.Dig could you post a screenshot of how you configured your EIMNAT rule? Did you have Static Port checked? Seems like you're hitting the same bug I encountered before.

              Bob.DigB 1 Reply Last reply Reply Quote 0
              • Bob.DigB Offline
                Bob.Dig LAYER 8 @luckman212
                last edited by Bob.Dig

                @luckman212 Yep, I had static port enabled too.

                1 Reply Last reply Reply Quote 0
                • M Offline
                  marcosm Netgate @Bob.Dig
                  last edited by

                  @Bob.Dig The crash can be uploaded here:
                  https://nc.netgate.com/nextcloud/s/FGaJJ3bHDTnTi5Q

                  @luckman212 EIM may not be sufficient because as I understand it EIM only deals with the mapping. There is still the matter of allowing (e.g. inbound) connections through the filter which UPnP helps with. FWIW I didn't see the Switch 2 even try UPnP. With EIM (no port forwards, static port unchecked) it showed NAT Type B, without EIM it showed NAT Type D.

                  Bob.DigB 1 Reply Last reply Reply Quote 1
                  • Bob.DigB Offline
                    Bob.Dig LAYER 8 @marcosm
                    last edited by

                    @marcosm said in Endpoint-independent Outbound NAT (eimnat) rules:

                    The crash can be uploaded here:

                    Done.

                    luckman212L 1 Reply Last reply Reply Quote 0
                    • luckman212L Online
                      luckman212 LAYER 8 @Bob.Dig
                      last edited by

                      @Bob.Dig Thank you for being another person on the internet with this problem. I'm used to being the only one with weird edge case bugs.

                      Bob.DigB 1 Reply Last reply Reply Quote 0
                      • Bob.DigB Offline
                        Bob.Dig LAYER 8 @luckman212
                        last edited by

                        @luckman212 I think you are one of the few early testers.

                        Besides this new NAT-feature, everything works fine so far.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.