1:1 NAT not working in outbound direction
-
i couldn't adjust AON rules to do this, because it complained about an overlap with the 1:1 already specified.
Free_the_Mallocs talked me into going ahead with 1.2b … i have the primary node updated now and things look like they're working just as they did. i just want to double-check one thing, though ...
i have multi-wan enabled, and multiple subnets behind the firewall. in AON i have one nat for each internal subnet going to each isp. if i simply disable AON, this will be taken care of automatically? i'm not going to drop any functionality by doing so?
-
yes. it was a bug that's been fixed.
-
hrm … i just turned off AON and re-tested the 1:1 nat outbound. the connection originated from the firewall's ip address, not the carp address which is configured in the 1:1 nat. i also tried editing the 1:1 and re-committing, just in case. no joy.
what am i missing?
-
Please upgrade to http://snapshots.pfsense.com/FreeBSD6/RELENG_1_2/updates/pfSense-Full-And-Embedded-Update-1.2-BETA-1-TESTING-SNAPSHOT-05-29-2007.tgz
-
The digital signature on this image is invalid.
This means that the image you uploaded is not an official/supported image and may lead to unexpected behavior or security compromises. Only install images that come from sources that you trust, and make sure that the image has not been tampered with.Do you want to install this image anyway (on your own risk)?
is this expected, or is it a bad download/firmware upload?
-
This is normal. I cannot sit in front of the snapshot server and sign images 24x7 :)
-
hah! just wanted to make sure … :)
-
no joy … still coming from the firewall's own address. is this really a code issue, or am missing something in my config?
-
Post your 1:1 configuration and the output of 'grep nat /tmp/rules.debug' from a shell.
-
pretty friggin' ugly … i'm only posting the one 1:1 nat i'm testing with, but there are 15. in addition, there are (still) 12 outbound nats (the originals that were required before disabling AON). but despite these, the nat is still tied to the firewall's ip. according to this definition below, the nat should be tied to 72.236.26.50 - when in fact it's being tied to the 208.49.241.xxx (firewall) address.
TELCOVE 72.236.26.50/32 10.0.0.50/32 extranet 72.236.26.50 <-> 10.0.0.50
nat-anchor "pftpx/"
nat-anchor "natearly/"
nat-anchor "natrules/*"
binat on em2 from 10.1.254.246/32 to any -> 208.49.241.149/32
binat on em2 from 10.1.254.252/32 to any -> 208.49.241.153/32
binat on em2 from 192.192.192.124/32 to any -> 208.49.241.154/32
binat on em1 from 10.0.0.49/32 to any -> 72.236.26.49/32
binat on em1 from 10.0.0.50/32 to any -> 72.236.26.50/32
binat on em1 from 192.192.192.46/32 to any -> 72.236.26.134/32
binat on em1 from 192.192.192.13/32 to any -> 72.236.26.135/32
binat on em1 from 192.192.192.38/32 to any -> 72.236.26.136/32
binat on em1 from 192.192.192.37/32 to any -> 72.236.26.141/32
binat on em1 from 192.192.192.31/32 to any -> 72.236.26.148/32
binat on em1 from 192.192.192.36/32 to any -> 72.236.26.174/32
binat on em1 from 192.192.192.11/32 to any -> 72.236.26.176/32
binat on em1 from 10.0.6.253/32 to any -> 72.236.26.181/32
binat on em1 from 10.0.6.250/32 to any -> 72.236.26.182/32
binat on em1 from 192.192.192.189/32 to any -> 72.236.26.189/32
binat on em2 from 10.1.254.246/32 to any -> 208.49.241.149/32
binat on em2 from 10.1.254.252/32 to any -> 208.49.241.153/32
binat on em2 from 192.192.192.124/32 to any -> 208.49.241.154/32
binat on em1 from 10.0.0.49/32 to any -> 72.236.26.49/32
binat on em1 from 10.0.0.50/32 to any -> 72.236.26.50/32
binat on em1 from 192.192.192.46/32 to any -> 72.236.26.134/32
binat on em1 from 192.192.192.13/32 to any -> 72.236.26.135/32
binat on em1 from 192.192.192.38/32 to any -> 72.236.26.136/32
binat on em1 from 192.192.192.37/32 to any -> 72.236.26.141/32
binat on em1 from 192.192.192.31/32 to any -> 72.236.26.148/32
binat on em1 from 192.192.192.36/32 to any -> 72.236.26.174/32
binat on em1 from 192.192.192.11/32 to any -> 72.236.26.176/32
binat on em1 from 10.0.6.253/32 to any -> 72.236.26.181/32
binat on em1 from 10.0.6.250/32 to any -> 72.236.26.182/32
binat on em1 from 192.192.192.189/32 to any -> 72.236.26.189/32
nat on $wan from 10.0.10.0/24 port 500 to any port 500 -> (em2) port 500
nat on $wan from 10.0.10.0/24 port 5060 to any port 5060 -> (em2) port 5060
nat on $wan from 10.0.10.0/24 to any -> (em2)
nat on $TELCOVE from 10.0.10.0/24 port 500 to any port 500 -> (em1) port 500
nat on $TELCOVE from 10.0.10.0/24 port 5060 to any port 5060 -> (em1) port 5060
nat on $TELCOVE from 10.0.10.0/24 to any -> (em1)
nat on $wan from 10.0.6.0/24 port 500 to any port 500 -> (em2) port 500
nat on $wan from 10.0.6.0/24 port 5060 to any port 5060 -> (em2) port 5060
nat on $wan from 10.0.6.0/24 to any -> (em2)
nat on $TELCOVE from 10.0.6.0/24 port 500 to any port 500 -> (em1) port 500
nat on $TELCOVE from 10.0.6.0/24 port 5060 to any port 5060 -> (em1) port 5060
nat on $TELCOVE from 10.0.6.0/24 to any -> (em1)
nat on $wan from 172.31.255.248/29 port 500 to any port 500 -> (em2) port 500
nat on $wan from 172.31.255.248/29 port 5060 to any port 5060 -> (em2) port 5060
nat on $wan from 172.31.255.248/29 to any -> (em2)
nat on $TELCOVE from 172.31.255.248/29 port 500 to any port 500 -> (em1) port 500
nat on $TELCOVE from 172.31.255.248/29 port 5060 to any port 5060 -> (em1) port 5060
nat on $TELCOVE from 172.31.255.248/29 to any -> (em1)
nat on $wan from 10.0.2.0/24 port 500 to any port 500 -> (em2) port 500
nat on $wan from 10.0.2.0/24 port 5060 to any port 5060 -> (em2) port 5060
nat on $wan from 10.0.2.0/24 to any -> (em2)
nat on $TELCOVE from 10.0.2.0/24 port 500 to any port 500 -> (em1) port 500
nat on $TELCOVE from 10.0.2.0/24 port 5060 to any port 5060 -> (em1) port 5060
nat on $TELCOVE from 10.0.2.0/24 to any -> (em1)
nat on $wan from 10.0.0.0/24 port 500 to any port 500 -> (em2) port 500
nat on $wan from 10.0.0.0/24 port 5060 to any port 5060 -> (em2) port 5060
nat on $wan from 10.0.0.0/24 to any -> (em2)
nat on $TELCOVE from 10.0.0.0/24 port 500 to any port 500 -> (em1) port 500
nat on $TELCOVE from 10.0.0.0/24 port 5060 to any port 5060 -> (em1) port 5060
nat on $TELCOVE from 10.0.0.0/24 to any -> (em1)
nat on $wan from 10.0.11.0/24 port 500 to any port 500 -> (em2) port 500
nat on $wan from 10.0.11.0/24 port 5060 to any port 5060 -> (em2) port 5060
nat on $wan from 10.0.11.0/24 to any -> (em2)
nat on $TELCOVE from 10.0.11.0/24 port 500 to any port 500 -> (em1) port 500
nat on $TELCOVE from 10.0.11.0/24 port 5060 to any port 5060 -> (em1) port 5060
nat on $TELCOVE from 10.0.11.0/24 to any -> (em1)
nat on $wan from 10.0.12.0/24 port 500 to any port 500 -> (em2) port 500
nat on $wan from 10.0.12.0/24 port 5060 to any port 5060 -> (em2) port 5060
nat on $wan from 10.0.12.0/24 to any -> (em2)
nat on $TELCOVE from 10.0.12.0/24 port 500 to any port 500 -> (em1) port 500
nat on $TELCOVE from 10.0.12.0/24 port 5060 to any port 5060 -> (em1) port 5060
nat on $TELCOVE from 10.0.12.0/24 to any -> (em1)
nat on $wan from 10.0.7.0/24 port 500 to any port 500 -> (em2) port 500
nat on $wan from 10.0.7.0/24 port 5060 to any port 5060 -> (em2) port 5060
nat on $wan from 10.0.7.0/24 to any -> (em2)
nat on $TELCOVE from 10.0.7.0/24 port 500 to any port 500 -> (em1) port 500
nat on $TELCOVE from 10.0.7.0/24 port 5060 to any port 5060 -> (em1) port 5060
nat on $TELCOVE from 10.0.7.0/24 to any -> (em1)
nat on $wan from 10.0.8.0/24 port 500 to any port 500 -> (em2) port 500
nat on $wan from 10.0.8.0/24 port 5060 to any port 5060 -> (em2) port 5060
nat on $wan from 10.0.8.0/24 to any -> (em2)
nat on $TELCOVE from 10.0.8.0/24 port 500 to any port 500 -> (em1) port 500
nat on $TELCOVE from 10.0.8.0/24 port 5060 to any port 5060 -> (em1) port 5060
nat on $TELCOVE from 10.0.8.0/24 to any -> (em1)
nat on $wan from 10.0.9.0/24 port 500 to any port 500 -> (em2) port 500
nat on $wan from 10.0.9.0/24 port 5060 to any port 5060 -> (em2) port 5060
nat on $wan from 10.0.9.0/24 to any -> (em2)
nat on $TELCOVE from 10.0.9.0/24 port 500 to any port 500 -> (em1) port 500
nat on $TELCOVE from 10.0.9.0/24 port 5060 to any port 5060 -> (em1) port 5060
nat on $TELCOVE from 10.0.9.0/24 to any -> (em1)
nat on $wan from 10.1.0.0/16 port 500 to any port 500 -> (em2) port 500
nat on $wan from 10.1.0.0/16 port 5060 to any port 5060 -> (em2) port 5060
nat on $wan from 10.1.0.0/16 to any -> (em2)
nat on $TELCOVE from 10.1.0.0/16 port 500 to any port 500 -> (em1) port 500
nat on $TELCOVE from 10.1.0.0/16 port 5060 to any port 5060 -> (em1) port 5060
nat on $TELCOVE from 10.1.0.0/16 to any -> (em1)
nat on $wan from 172.16.0.0/12 port 500 to any port 500 -> (em2) port 500
nat on $wan from 172.16.0.0/12 port 5060 to any port 5060 -> (em2) port 5060
nat on $wan from 172.16.0.0/12 to any -> (em2)
nat on $TELCOVE from 172.16.0.0/12 port 500 to any port 500 -> (em1) port 500
nat on $TELCOVE from 172.16.0.0/12 port 5060 to any port 5060 -> (em1) port 5060
nat on $TELCOVE from 172.16.0.0/12 to any -> (em1)
nat on $wan from 192.168.0.0/16 port 500 to any port 500 -> (em2) port 500
nat on $wan from 192.168.0.0/16 port 5060 to any port 5060 -> (em2) port 5060
nat on $wan from 192.168.0.0/16 to any -> (em2)
nat on $TELCOVE from 192.168.0.0/16 port 500 to any port 500 -> (em1) port 500
nat on $TELCOVE from 192.168.0.0/16 port 5060 to any port 5060 -> (em1) port 5060
nat on $TELCOVE from 192.168.0.0/16 to any -> (em1)
nat on $wan from 192.168.120.0/24 port 500 to any port 500 -> (em2) port 500
nat on $wan from 192.168.120.0/24 port 5060 to any port 5060 -> (em2) port 5060
nat on $wan from 192.168.120.0/24 to any -> (em2)
nat on $TELCOVE from 192.168.120.0/24 port 500 to any port 500 -> (em1) port 500
nat on $TELCOVE from 192.168.120.0/24 port 5060 to any port 5060 -> (em1) port 5060
nat on $TELCOVE from 192.168.120.0/24 to any -> (em1)
nat on $wan from 192.168.255.0/24 port 500 to any port 500 -> (em2) port 500
nat on $wan from 192.168.255.0/24 port 5060 to any port 5060 -> (em2) port 5060
nat on $wan from 192.168.255.0/24 to any -> (em2)
nat on $TELCOVE from 192.168.255.0/24 port 500 to any port 500 -> (em1) port 500
nat on $TELCOVE from 192.168.255.0/24 port 5060 to any port 5060 -> (em1) port 5060
nat on $TELCOVE from 192.168.255.0/24 to any -> (em1)
pass in log quick on $DMZ proto { tcp udp } from <vpnrouterinternal>to any port = 4500 keep state label "USER_RULE: NAT vpn/ipsec-nat-t"
pass in log quick on $DMZ proto { tcp udp } from <vpnclientrouterinternal>to any port = 4500 keep state label "USER_RULE: NAT vpn/ipsec-nat-t"
pass in log quick on $TELCOVE reply-to (em1 72.236.26.1) proto { tcp udp } from any to <vpnrouterinternal>port = 4500 keep state label "USER_RULE: NAT vpn/
ipsec-nat-t"
pass in log quick on $TELCOVE reply-to (em1 72.236.26.1) proto { tcp udp } from any to <vpnclientrouterinternal>port = 4500 keep state label "USER_RULE: NA
T vpn/ipsec-nat-t"
pass in log quick on $TELCOVE reply-to (em1 72.236.26.1) inet proto icmp from any to <vpnrouterinternal>icmp-type echoreq keep state label "USER_RULE: NAT
vpn/ipsec-nat-t"
pass in log quick on $TELCOVE reply-to (em1 72.236.26.1) inet proto icmp from any to <vpnclientrouterinternal>icmp-type echoreq keep state label "USER_RULE
: NAT vpn/ipsec-nat-t"</vpnclientrouterinternal></vpnrouterinternal></vpnclientrouterinternal></vpnrouterinternal></vpnclientrouterinternal></vpnrouterinternal> -
In the end, i had to re-enable AON. having it disabled (and with the last shown config) broke outbound mail. So as it stands, i'm on the latest snapshot referenced above, two-node pfsense, dual-wan, multiple carp and 1:1 nats, AON enabled. inbound works properly via the 1:1, but outbound connections do NOT.
any help will be appreciated.
-
okay - pfSense support to the rescue! my biggest issue turned out to have a simple resolution, though the support folks had to dig plenty to find it. while i described a fairly simple scenario, in actuality the config in its entirety was very complex. but pfSense support found the "needle in a stack of needles" (yeah, that was a quote from one of them) and outbound NAT is working correctly now.
i've grown this complex clustered firewall environment since versions before 1.0-release, and things have changed in the gui and behind the scenes that i didn't catch. just remember that if you have a multi-wan configuration and are using 1:1 nats, each 1:1 nat and corresponding rule must have its gateway set accordingly - otherwise your outbound nat, just like mine, may very well go out the wrong isp network. and that just isn't cool. :) well, perhaps cool but certainly not very useful …
bravo, guys. you've already made good on this year's support contract.
-
Thanks! And for the record you have a somewhat complicated network :)