Nat reflection problem
-
Hi.
I just installed the 2.0. Fresh install, to make sure there was no upgrade problems.
However when i uncheck the "Disable NAT Reflection" box, the box stops nat'ing anything at all.
I have a simple setup. 1 wan, 1 lan interface. the wan has a public internet ip, no firewalls between isp and wan.
I have a webserver on my lan, which works fine from the outside. On pfsense-1.2.3-RC1 i had the exact same ports forwarded, and with the "Disable NAT Reflection" unchecked, i could reach my webserver just fine from both outside and inside.
With 2.0 and this "Disable NAT Reflection" unchecked, nat just stops working. noone can reach anything on the outside, and the webserver is still not reachable from the inside through it's domain.
(I have it working with the dns forwarder trick mentioned in the FAQ. It's just a privat webserver and a home network. So it's not a big problem.)
Is there anything different one has to remember to make this work in 2.0 ? :)
Thanks in advance for any help.
- technot
-
Can you post your config and rules.debug content.
-
these are the requested files with my working setup (dns split instead of nat reflection) (password's and hashes has been removed)
config.xml:
<pfsense><version>5.9</version> <lastchange></lastchange> <theme>pfsense_ng</theme> <sysctl><desc>Set the ephemeral port range to be lower.</desc> <tunable>net.inet.ip.portrange.first</tunable> <value>1024</value> <desc>Drop packets to closed TCP ports without returning a RST</desc> <tunable>net.inet.tcp.blackhole</tunable> <value>2</value> <desc>Do not send ICMP port unreachable messages for closed UDP ports</desc> <tunable>net.inet.udp.blackhole</tunable> <value>1</value> <desc>Randomize the ID field in IP packets (default is 0: sequential IP IDs)</desc> <tunable>net.inet.ip.random_id</tunable> <value>1</value> <desc>Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)</desc> <tunable>net.inet.tcp.drop_synfin</tunable> <value>1</value> <desc>Enable sending IPv4 redirects</desc> <tunable>net.inet.ip.redirect</tunable> <value>1</value> <desc>Enable sending IPv6 redirects</desc> <tunable>net.inet6.ip6.redirect</tunable> <value>1</value> <desc>Generate SYN cookies for outbound SYN-ACK packets</desc> <tunable>net.inet.tcp.syncookies</tunable> <value>1</value> <desc>Maximum incoming/outgoing TCP datagram size (receive)</desc> <tunable>net.inet.tcp.recvspace</tunable> <value>65228</value> <desc>Maximum incoming/outgoing TCP datagram size (send)</desc> <tunable>net.inet.tcp.sendspace</tunable> <value>65228</value> <desc>IP Fastforwarding</desc> <tunable>net.inet.ip.fastforwarding</tunable> <value>1</value> <desc>Do not delay ACK to try and piggyback it onto a data packet</desc> <tunable>net.inet.tcp.delayed_ack</tunable> <value>0</value> <desc>Maximum outgoing UDP datagram size</desc> <tunable>net.inet.udp.maxdgram</tunable> <value>57344</value> <desc>Handling of non-IP packets which are not passed to pfil (see if_bridge(4))</desc> <tunable>net.link.bridge.pfil_onlyip</tunable> <value>0</value> <desc>Set to 0 to disable filtering on the incoming and outgoing member interfaces.</desc> <tunable>net.link.bridge.pfil_member</tunable> <value>1</value> <desc>Set to 1 to enable filtering on the bridge interface</desc> <tunable>net.link.bridge.pfil_bridge</tunable> <value>0</value> <desc>Allow unprivileged access to tap(4) device nodes</desc> <tunable>net.link.tap.user_open</tunable> <value>1</value> <desc>Verbosity of the rndtest driver (0: do not display results on console)</desc> <tunable>kern.rndtest.verbose</tunable> <value>0</value> <desc>Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</desc> <tunable>kern.randompid</tunable> <value>347</value> <desc>Maximum size of the IP input queue</desc> <tunable>net.inet.ip.intr_queue_maxlen</tunable> <value>1000</value> <desc>Disable CTRL+ALT+Delete reboot from keyboard.</desc> <tunable>hw.syscons.kbd_reboot</tunable> <value>0</value> <desc>Enable TCP Inflight mode</desc> <tunable>net.inet.tcp.inflight.enable</tunable> <value>1</value> <desc>Enable TCP extended debugging</desc> <tunable>net.inet.tcp.log_debug</tunable> <value>0</value> <desc>Set ICMP Limits</desc> <tunable>net.inet.icmp.icmplim</tunable> <value>750</value> <desc>TCP Offload Engine</desc> <tunable>net.inet.tcp.tso</tunable> <value>0</value> <desc>TCP Offload Engine - BCE</desc> <tunable>hw.bce.tso_enable</tunable> <value>0</value></sysctl> <system><optimization>normal</optimization> <hostname>pfSense</hostname> <domain>local</domain> <dnsallowoverride><group><name>all</name> <description>All Users</description> <scope>system</scope> <gid>1998</gid> <member>0</member></group> <group><name>admins</name> <description>System Administrators</description> <scope>system</scope> <gid>1999</gid> <member>0</member> <priv>page-all</priv></group> <user><name>admin</name> <fullname>System Administrator</fullname> <scope>system</scope> <groupname>admins</groupname> <password>removed</password> <uid>0</uid> <priv>user-shell-access</priv> <md5-hash>removed</md5-hash> <nt-hash>removed</nt-hash></user> <nextuid>2000</nextuid> <nextgid>2000</nextgid> <timezone>Etc/UTC</timezone> <time-update-interval>300</time-update-interval> <timeservers>0.pfsense.pool.ntp.org</timeservers> <webgui><protocol>https</protocol> <ssl-certref>4a85b1a18d669</ssl-certref></webgui> <dnsserver><ca><refid>4a85b1470f4b3</refid> <name>internalCA</name> <crt>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURiakNDQXRlZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRVUZBRENCaHpFTE1Ba0dBMVVFQmhNQ2JtOHgKRVRBUEJnTlZCQWdUQ0hKdloyRnNZVzVrTVJBd0RnWURWUVFIRXdkellXNWtibVZ6TVJNd0VRWURWUVFLRXdwMApkMmx6ZEhCdmFXNTBNU2d3SmdZSktvWklodmNOQVFrQkZobDBiM0pwYm1kbGEyeHZkVzFoYm01QVoyMWhhV3d1ClkyOXRNUlF3RWdZRFZRUURFd3RwYm5SbGNtNWhiQzFqWVRBZUZ3MHdPVEE0TVRReE9EUTNNelZhRncwek5qRXkKTWpreE9EUTNNelZhTUlHSE1Rc3dDUVlEVlFRR0V3SnViekVSTUE4R0ExVUVDQk1JY205bllXeGhibVF4RURBTwpCZ05WQkFjVEIzTmhibVJ1WlhNeEV6QVJCZ05WQkFvVENuUjNhWE4wY0c5cGJuUXhLREFtQmdrcWhraUc5dzBCCkNRRVdHWFJ2Y21sdVoyVnJiRzkxYldGdWJrQm5iV0ZwYkM1amIyMHhGREFTQmdOVkJBTVRDMmx1ZEdWeWJtRnMKTFdOaE1JR2ZNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R05BRENCaVFLQmdRRGdvUWNXOFAyU0dGNTZ0QWxRaU54MQpBL2x5T3Z4UmJWYXljNnV1bUJZd3ZNczVQUzN2dW9lYk8wZjNZYktGaTdYSk5EZ1lKSlFPZGJGMkdncVA5c2hJClhNOExQVzRJMkwzWlY2UkhoSFU4ZEVUY2h3UUZ0Q21PdWlGUmY5c2lJZWM0czdNckFtUnUvbE9OMFN5cWNUN3EKSGZSOWJ5d1RsRDVXc3pWSzlxdkZ4d0lEQVFBQm80SG5NSUhrTUIwR0ExVWREZ1FXQkJTWUFHMGp1N0dSTTZhRgpEVEFqRE1MdDNqZldSVENCdEFZRFZSMGpCSUdzTUlHcGdCU1lBRzBqdTdHUk02YUZEVEFqRE1MdDNqZldSYUdCCmphU0JpakNCaHpFTE1Ba0dBMVVFQmhNQ2JtOHhFVEFQQmdOVkJBZ1RDSEp2WjJGc1lXNWtNUkF3RGdZRFZRUUgKRXdkellXNWtibVZ6TVJNd0VRWURWUVFLRXdwMGQybHpkSEJ2YVc1ME1TZ3dKZ1lKS29aSWh2Y05BUWtCRmhsMApiM0pwYm1kbGEyeHZkVzFoYm01QVoyMWhhV3d1WTI5dE1SUXdFZ1lEVlFRREV3dHBiblJsY201aGJDMWpZWUlCCkFEQU1CZ05WSFJNRUJUQURBUUgvTUEwR0NTcUdTSWIzRFFFQkJRVUFBNEdCQUFnbXRzSGoxOHgxQ2VPMGsvQXEKS1dzdHh6eFhCek9NcU1ma004dzdxelhTRXdVWGFKbGJuRzBkZTRDZnVYcWZvcW0xU2NkMG1CQjk2U2JldjAyRwpRV3hZbjFYbSsxWnRlbUl2UG9KcnRIMVZjQnppdExXQjEyMWZlcDBlSVgxOXIyMWZRWVhzYUtQSE5lc2k5R3FtCnlESmZlMnZhSFB4RVptQlJUbi9UbTlRLwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==</crt> <prv>LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlDV3dJQkFBS0JnUURnb1FjVzhQMlNHRjU2dEFsUWlOeDFBL2x5T3Z4UmJWYXljNnV1bUJZd3ZNczVQUzN2CnVvZWJPMGYzWWJLRmk3WEpORGdZSkpRT2RiRjJHZ3FQOXNoSVhNOExQVzRJMkwzWlY2UkhoSFU4ZEVUY2h3UUYKdENtT3VpRlJmOXNpSWVjNHM3TXJBbVJ1L2xPTjBTeXFjVDdxSGZSOWJ5d1RsRDVXc3pWSzlxdkZ4d0lEQVFBQgpBb0dBUkxpL0JJUEI3L3BJblYyTEkvcGJCK21wWFFzeXVtNnJBWGxsNHNwZ3I1UnkwQllwZ1pnZGVKNVFUQnkxCmt5bkUrY05pRGZEUzR3R2F3emtBVmo3MzBxamxuN0krdHpVUjVtN1QwR2p1elRoVCtvZzZZNEsyUkVkVi9YNEkKQWhGLzhIS1FHejJoc3hiT1RnaC95RFYwWTV3TU5nRkE2RFI3S2owTERmcGJzakVDUVFEeUpuaDNzZEdtaU5RTApUK2gvUEk4MGJOR3B6cXVqMlNUemFtNG40aEdtMTdTM3JQKzNJSjMyZ0s1WlNkM1VGbHZCcFVFMWgxT2FOeWpjCkFPR1lESHd0QWtFQTdYb0RhZ0VLNU1Sd0tGOGJLVW5jVXRwaGV1aHdzME5naVlhOTZFaThaWHVDTjAvZWRZUG4KTUlLMFJzRzRqVjZUdDdTcUNaa3dYbjdPaVh0UC9vSWVRd0pBSUFidWtBWTQwR253Z2I2RDViQkEwSkpEK00yWQo3Z2JlV0VPUFpqOEVUcWpoQWhvamlEa01LM3BCbFJXci9VMG52YWo1d3ZhdkhBcUhvUEdNNU90aDBRSkFjYkJiCkdCR2R0SDJ5c0RFdjRLbGltQ3ZDUlVRb1NEbjJhb0NlUkNrbVFITkxtTTFjMCtlczg1VnZWdnlCTFBUZFJUSngKd1J5Y2duQzAwaTY5MGp0YTN3SkFiV0JoYjdnYUtqOTlzRC9MYmNraHh0QVQwM1BWWkx4VEtlamZKMFhMamxxeAozV29KczVSWHFBN1dtM1ZGQ2YrWWV6eThTSlNXa1hMWG0rK1RsWkdQc2c9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=</prv> <serial>1</serial></ca> <cert><refid>4a85b1a18d669</refid> <name>internalSSL</name> <caref>4a85b1470f4b3</caref> <crt>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURiVENDQXRhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRVUZBRENCaHpFTE1Ba0dBMVVFQmhNQ2JtOHgKRVRBUEJnTlZCQWdUQ0hKdloyRnNZVzVrTVJBd0RnWURWUVFIRXdkellXNWtibVZ6TVJNd0VRWURWUVFLRXdwMApkMmx6ZEhCdmFXNTBNU2d3SmdZSktvWklodmNOQVFrQkZobDBiM0pwYm1kbGEyeHZkVzFoYm01QVoyMWhhV3d1ClkyOXRNUlF3RWdZRFZRUURFd3RwYm5SbGNtNWhiQzFqWVRBZUZ3MHdPVEE0TVRReE9EUTVNRFphRncwek5qRXkKTWpreE9EUTVNRFphTUlHR01Rc3dDUVlEVlFRR0V3SnViekVSTUE4R0ExVUVDQk1JY205bllXeGhibVF4RURBTwpCZ05WQkFjVEIzTmhibVJ1WlhNeEV6QVJCZ05WQkFvVENuUjNhWE4wY0c5cGJuUXhLREFtQmdrcWhraUc5dzBCCkNRRVdHWFJ2Y21sdVoyVnJiRzkxYldGdWJrQm5iV0ZwYkM1amIyMHhFekFSQmdOVkJBTVRDblIzYVhOMGNHOXAKYm5Rd2daOHdEUVlKS29aSWh2Y05BUUVCQlFBRGdZMEFNSUdKQW9HQkFQQVpCY0lMUUJBTEk1SzlKWVZBeWh4Rwp5SC9qSmMwZ0hZeTdYZ3FWSjFjSVNPcFRsczNSemljUGkzTXpRQVpoY1lDUHdnYllnWTYrNlhndVRKOUgwNi9zCm54bzd5ZHJiVGRKUldvb1JCYklIeTUyVWdJUG9uNUhRSTJhU0tnNS9VN2VuRHcwS3NGYjRzc05idHNlZ2t2ZmQKOW9uU3dSRzlEUXN0QzVzUXVMekxBZ01CQUFHamdlY3dnZVF3SFFZRFZSME9CQllFRk01eFVwWVArM2FpbDVjMQp0TGdVejVtL1NrVTlNSUcwQmdOVkhTTUVnYXd3Z2FtQUZKZ0FiU083c1pFenBvVU5NQ01Nd3UzZU45WkZvWUdOCnBJR0tNSUdITVFzd0NRWURWUVFHRXdKdWJ6RVJNQThHQTFVRUNCTUljbTluWVd4aGJtUXhFREFPQmdOVkJBY1QKQjNOaGJtUnVaWE14RXpBUkJnTlZCQW9UQ25SM2FYTjBjRzlwYm5ReEtEQW1CZ2txaGtpRzl3MEJDUUVXR1hSdgpjbWx1WjJWcmJHOTFiV0Z1YmtCbmJXRnBiQzVqYjIweEZEQVNCZ05WQkFNVEMybHVkR1Z5Ym1Gc0xXTmhnZ0VBCk1Bd0dBMVVkRXdRRk1BTUJBZjh3RFFZSktvWklodmNOQVFFRkJRQURnWUVBQmJmNlplUzFhUXNNZSsveVpSMjUKTXArUXJtUDY3TnV5T2g1NDJpR1dGY2VyT29IZnNaVUNBYXo0SFU3ZGNpd3hpbWk3WUVOZXhIbituREZKVnJvZApPZTVudmdWdGM4WUxJR0Q4NHNINTZrdnZ0RDNCb0dYekVueExWUGl0ZERoWnU1ZWJhK0J6alJrT1ZiTnFXZGhrCjA1WHFaVk85T09lZDkyNW1FUmNCekFjPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==</crt> <prv>LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlDWGdJQkFBS0JnUUR3R1FYQ0MwQVFDeU9TdlNXRlFNb2NSc2gvNHlYTklCMk11MTRLbFNkWENFanFVNWJOCjBjNG5ENHR6TTBBR1lYR0FqOElHMklHT3Z1bDRMa3lmUjlPdjdKOGFPOG5hMjAzU1VWcUtFUVd5Qjh1ZGxJQ0QKNkorUjBDTm1raW9PZjFPM3B3OE5DckJXK0xMRFc3YkhvSkwzM2ZhSjBzRVJ2UTBMTFF1YkVMaTh5d0lEQVFBQgpBb0dCQUthSHRJYXladXk1elNLcUxxd09GQ0VvdDBoOHRHdGlLeHpCbUtpZWEzcmlORERUYVhXNFg5U1g0NUV6CnF1VENFWWVxTGxteE1hdGduMjdNTGprTUNMWlV3aHc1NXY4S2FmZkhpSTFpdlBONUJDV2hyK0F0R2dUZDgvT0MKdmlTM2paemVoaUdmZUdNSkNUc2xCV0hWRGF6WmRpRHpSSUxralExOXJYK0wwQzhCQWtFQS85aFg3TkRnQk9HOQpwSncrVzVwY3VxZm5sbWpFQXNGSEUrVXZkSWF4eldERVF6UVF6MnVRREFHQkg0VUpkVndzNElvRVhYMnlrcSt5CmtHdUg5S2UydVFKQkFQQStQUGd0NmVPZUZEYzlPMVhZYTUxaVFSYVNTWm9IZGZGYmxTYm8rWFB3Mm5PYmpESEEKTm1HczBlRUFPLzRTZDk1LzdSN29hcjBRQldGenFwN29EYU1DUUhocDNYQVRHdXlSUm8xOEVBbFRESU81Vk5GQQp1OGhFS1d6ZXVFZ1N3UXBWbWVtN1RwSWhJT25WcDIwclV6bE9TYnpnbUk5Y0FyanhRb3lnWDV1eGQ5a0NRUURtCmhuSXVtckFCeitBS0dXRmtRR1VUQWdMK3k2U0Fmb1EzOHU4dUJRUElzdWFMWkVpa1BKSnlLMGpCSkY1c3NBQUIKcXJNM28wRTQ1YlNrREQ4K2QrRU5Ba0VBMGhVWHRERUpWaG9oK2ZRRGJNd0lIREJzK2hBSEREZVdlWDRiS2hEOAp2STVWZ1pZcWwxZGFYcHpYVXpZM0FaTFJ3RHE0SHZ6ZDVhYjhRTWlocHhtZ0h3PT0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K</prv></cert> <enablesshd>enabled</enablesshd> <scrubrnid>enabled</scrubrnid> <maximumstates><reflectiontimeout><firmware><alturl><enable><firmwareurl>http://snapshots.pfsense.org/FreeBSD_RELENG_7_2/pfSense_HEAD/.updaters</firmwareurl></enable></alturl></firmware> <disablenatreflection>yes</disablenatreflection></reflectiontimeout></maximumstates></dnsserver></dnsallowoverride></system> <interfaces><lan><if>xl1</if> <ipaddr>192.168.1.1</ipaddr> <subnet>24</subnet> <media></media> <mediaopt></mediaopt> <bandwidth>100</bandwidth> <bandwidthtype>Mb</bandwidthtype></lan> <wan><if>rl0</if> <mtu><ipaddr>dhcp</ipaddr> <subnet><gateway><dhcphostname><media></media> <mediaopt></mediaopt> <bandwidth>100</bandwidth> <bandwidthtype>Mb</bandwidthtype> <spoofmac></spoofmac></dhcphostname></gateway></subnet></mtu></wan></interfaces> <staticroutes></staticroutes> <pppoe><username><password></password></username></pppoe> <pptp><username><password><local></local></password></username></pptp> <dhcpd><lan><enable><range><from>192.168.1.10</from> <to>192.168.1.245</to></range></enable></lan></dhcpd> <pptpd><localip></localip></pptpd> <dnsmasq><enable><hosts><host>www</host> <domain>deppa.com</domain> <ip>192.168.1.113</ip> <descr>deppa</descr></hosts> <regdhcp><regdhcpstatic></regdhcpstatic></regdhcp></enable></dnsmasq> <snmpd><syslocation></syslocation> <syscontact></syscontact> <rocommunity>public</rocommunity></snmpd> <diag><ipv6nat><ipaddr></ipaddr></ipv6nat></diag> <nat><ipsecpassthru><enable></enable></ipsecpassthru> <rule><protocol>tcp</protocol> <external-port>6667</external-port> <target>192.168.1.113</target> <local-port>6667</local-port> <interface>wan</interface> <descr>deppa-irc</descr></rule> <rule><protocol>tcp</protocol> <external-port>25</external-port> <target>192.168.1.113</target> <local-port>25</local-port> <interface>wan</interface> <descr>deppa-smtp</descr></rule> <rule><protocol>tcp</protocol> <external-port>110</external-port> <target>192.168.1.113</target> <local-port>110</local-port> <interface>wan</interface> <descr>deppa-pop3</descr></rule> <rule><protocol>tcp/udp</protocol> <external-port>56035</external-port> <target>192.168.1.119</target> <local-port>56035</local-port> <interface>wan</interface> <descr>terje-torrent</descr></rule> <rule><protocol>tcp</protocol> <external-port>80</external-port> <target>192.168.1.113</target> <local-port>80</local-port> <interface>wan</interface> <descr>deppa-www</descr></rule> <rule><protocol>tcp/udp</protocol> <external-port>53</external-port> <target>192.168.1.113</target> <local-port>53</local-port> <interface>wan</interface> <descr>deppa-dns</descr></rule> <rule><protocol>tcp/udp</protocol> <external-port>3306</external-port> <target>192.168.1.141</target> <local-port>3306</local-port> <interface>wan</interface> <descr>technot-mysql</descr></rule> <rule><protocol>tcp/udp</protocol> <external-port>16881-16891</external-port> <target>192.168.1.141</target> <local-port>16881</local-port> <interface>wan</interface> <descr>technot-utorrent</descr></rule></nat> <filter><rule><interface>wan</interface> <protocol>tcp</protocol> <source> <any><destination><address>192.168.1.113</address> <port>6667</port></destination> <descr>NAT deppa-irc</descr></any></rule> <rule><interface>wan</interface> <protocol>tcp</protocol> <source> <any><destination><address>192.168.1.113</address> <port>80</port></destination> <descr>NAT deppa-web</descr></any></rule> <rule><interface>wan</interface> <protocol>tcp</protocol> <source> <any><destination><address>192.168.1.113</address> <port>25</port></destination> <descr>NAT deppa-smtp</descr></any></rule> <rule><interface>wan</interface> <protocol>tcp</protocol> <source> <any><destination><address>192.168.1.113</address> <port>110</port></destination> <descr>NAT deppa-pop3</descr></any></rule> <rule><interface>wan</interface> <protocol>tcp</protocol> <source> <any><destination><address>192.168.1.113</address> <port>22</port></destination> <descr>NAT deppa-ssh</descr></any></rule> <rule><interface>wan</interface> <protocol>tcp/udp</protocol> <source> <any><destination><address>192.168.1.119</address> <port>56035</port></destination> <descr>NAT terje-torrent</descr></any></rule> <rule><type>pass</type> <descr>Default allow LAN to any rule</descr> <interface>lan</interface> <source> <network>lan</network> <destination><any></any></destination></rule> <rule><interface>wan</interface> <protocol>tcp</protocol> <source> <any><destination><address>192.168.1.113</address> <port>80</port></destination> <descr>NAT deppa-www</descr></any></rule> <rule><interface>wan</interface> <protocol>tcp/udp</protocol> <source> <any><destination><address>192.168.1.113</address> <port>53</port></destination> <descr>NAT deppa-dns</descr></any></rule> <rule><interface>wan</interface> <protocol>tcp/udp</protocol> <source> <any><destination><address>192.168.1.141</address> <port>3306</port></destination> <descr>NAT technot-mysql</descr></any></rule> <rule><interface>wan</interface> <protocol>tcp/udp</protocol> <source> <any><destination><address>192.168.1.141</address> <port>16881-16891</port></destination> <descr>NAT technot-utorrent</descr></any></rule> <bypassstaticroutes>yes</bypassstaticroutes></filter> <shaper></shaper> <ipsec><preferredoldsa></preferredoldsa></ipsec> <aliases></aliases> <proxyarp></proxyarp> <cron><minute>0</minute> <hour>*</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 newsyslog <minute>1,31</minute> <hour>0-5</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 adjkerntz -a <minute>1</minute> <hour>3</hour> <mday>1</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /etc/rc.update_bogons.sh <minute>*/60</minute> <hour>*</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout <minute>1</minute> <hour>1</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /etc/rc.dyndns.update <minute>*/60</minute> <hour>*</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot <minute>*/5</minute> <hour>*</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /usr/local/bin/checkreload.sh <minute>*/5</minute> <hour>*</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /etc/ping_hosts.sh</cron> <rrd><enable></enable></rrd> <revision><description>/firewall_nat.php made unknown change</description> <time>1250338135</time></revision> <installedpackages><package><name>rate</name> <descr>This package adds a table of realtime bandwidth usage by IP address to Status -> Traffic Graphs</descr> <category>Network Management</category> <version>0.9</version> <status>BETA</status> <maintainer>jimp@pfsense.org</maintainer> <required_version>1.2.2</required_version> <depends_on_package_base_url>http://files.pfsense.com/packages/7/All/</depends_on_package_base_url> <depends_on_package>rate-0.9.tbz</depends_on_package> <config_file>http://www.pfsense.org/packages/config/rate/rate.xml</config_file> <configurationfile>rate.xml</configurationfile></package> <package><name>bandwidthd</name> <website>http://bandwidthd.sourceforge.net/</website> <descr>BandwidthD tracks usage of TCP/IP network subnets and builds html files with graphs to display utilization. Charts are built by individual IPs, and by default display utilization over 2 day, 8 day, 40 day, and 400 day periods. Furthermore, each ip address's utilization can be logged out at intervals of 3.3 minutes, 10 minutes, 1 hour or 12 hours in cdf format, or to a backend database server. HTTP, TCP, UDP, ICMP, VPN, and P2P traffic are color coded.</descr> <category>System</category> <version>2.0.1.2</version> <status>BETA</status> <required_version>1.2.1</required_version> <depends_on_package_base_url>http://files.pfsense.org/packages/7/All/</depends_on_package_base_url> <depends_on_package>bandwidthd-2.0.1_1.tbz</depends_on_package> <depends_on_package>libiconv-1.11_1.tbz</depends_on_package> <config_file>http://www.pfsense.org/packages/config/bandwidthd/bandwidthd.xml</config_file> <configurationfile>bandwidthd.xml</configurationfile> <noembedded>true</noembedded></package> <package><name>diag_new_states</name> <descr>Paul Taylors version of Diagnostics States which utilizes pftop.</descr> <website>http://www.addressplus.net</website> <category>Network Management</category> <version>0.2</version> <maintainer>ptaylor@addressplus.net</maintainer> <required_version>1.2.1</required_version> <status>BETA</status> <config_file>http://www.pfsense.org/packages/config/diag_states_pt/diag_new_states.xml</config_file> <configurationfile>http://www.pfsense.com/packages/config/diag_states_pt/diag_new_states.xml</configurationfile></package> <menu> <name>BandwidthD</name> Services <url>/pkg_edit.php?xml=bandwidthd.xml&id=0</url> </menu> <menu> <name>States New</name> <tooltiptext>States by Paul Taylor</tooltiptext> Diagnostics <url>diag_new_states.php</url> </menu> <tab><text>BandwidthD</text> <url>/pkg_edit.php?xml=bandwidthd.xml&id=0</url> <active></active></tab> <service><name>bandwidthd</name> <rcfile>bandwidthd.sh</rcfile> <executable>bandwidthd</executable></service> <bandwidthd><config><active_interface>wan</active_interface> <skipintervals><graphcutoff><promiscuous><outputcdf><recovercdf><filter><drawgraphs>on</drawgraphs> <meta_refresh></meta_refresh></filter></recovercdf></outputcdf></promiscuous></graphcutoff></skipintervals></config></bandwidthd></installedpackages> <ezshaper><step1><numberofconnections>1</numberofconnections></step1> <step3><provider>Generic</provider> <address> <bandwidth><local0download><local0downloadspeed>Kb</local0downloadspeed> <conn0upload><conn0uploadspeed>Kb</conn0uploadspeed> <download><downloadspeed>Kb</downloadspeed> <step4><enable>on</enable> <address>192.168.1.119</address> <bandwidth>5</bandwidth> <bandwidthunit>Mb</bandwidthunit></step4> <step5><bandwidth><bandwidthunit>%</bandwidthunit></bandwidth></step5> <step7><msrdp><vnc><appleremotedesktop><pcanywhere><irc><jabber><icq><aolinstantmessenger><msnmessenger><teamspeak><pptp><ipsec><streamingmp3><rtsp><http><smtp><pop3><imap></imap></pop3></smtp></http></rtsp></streamingmp3></ipsec></pptp></teamspeak></msnmessenger></aolinstantmessenger></icq></jabber></irc></pcanywhere></appleremotedesktop></vnc></msrdp></step7> <step2><downloadscheduler>CBQ</downloadscheduler> <conn0uploadscheduler>CBQ</conn0uploadscheduler> <conn0upload>30</conn0upload> <conn0uploadspeed>Mb</conn0uploadspeed> <conn0download>30</conn0download> <conn0downloadspeed>Mb</conn0downloadspeed> <conn0interface>wan</conn0interface></step2> <dnshaper></dnshaper> <l7shaper><container></container></l7shaper> rules.debug:#System aliases
loopback = "{ lo0 }"
WAN = "{ rl0 }"
LAN = "{ xl1 }"User Aliases
set loginterface rl0
set loginterface xl1
set optimization normal
set limit states 25000set skip on pfsync0
scrub in on $WAN all random-id fragment reassemble
scrub in on $LAN all random-id fragment reassemblenat-anchor "natearly/"
nat-anchor "natrules/"Outbound NAT rules
Subnets to NAT
tonatsubnets = "{ 192.168.1.0/24 }"
no nat on $WAN to port tftp
nat on $WAN from $tonatsubnets port 500 to any port 500 -> 84.234.185.11/32 port 500
nat on $WAN from $tonatsubnets port 4500 to any port 4500 -> 84.234.185.11/32 port 4500
nat on $WAN from $tonatsubnets port 5060 to any port 5060 -> 84.234.185.11/32 port 5060
nat on $WAN from $tonatsubnets to any -> 84.234.185.11/32 port 1024:65535#SSH Lockout Table
table <sshlockout>persistLoad balancing anchor
rdr-anchor "relayd/*"
TFTP proxy
rdr-anchor "tftp-proxy/*"
NAT Inbound Redirects
rdr on rl0 proto tcp from any to 84.234.185.11 port 6667 -> 192.168.1.113
rdr on rl0 proto tcp from any to 84.234.185.11 port 25 -> 192.168.1.113
rdr on rl0 proto tcp from any to 84.234.185.11 port 110 -> 192.168.1.113
rdr on rl0 proto { tcp udp } from any to 84.234.185.11 port 56035 -> 192.168.1.119
rdr on rl0 proto tcp from any to 84.234.185.11 port 80 -> 192.168.1.113
rdr on rl0 proto { tcp udp } from any to 84.234.185.11 port 53 -> 192.168.1.113
rdr on rl0 proto { tcp udp } from any to 84.234.185.11 port 3306 -> 192.168.1.141
rdr on rl0 proto { tcp udp } from any to 84.234.185.11 port 16881:16891 -> 192.168.1.141 port 16881:*UPnPd rdr anchor
rdr-anchor "miniupnpd"
anchor "relayd/*"
anchor "firewallrules"
#---------------------------------------------------------------------------default deny rules
#---------------------------------------------------------------------------
block in log all label "Default deny rule"
block out log all label "Default deny rule"We use the mighty pf, we cannot be fooled.
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0Block all IPv6
block in quick inet6 all
block out quick inet6 allsnort2c
table <snort2c>persist
block quick from <snort2c>to any label "Block snort2c hosts"
block quick from any to <snort2c>label "Block snort2c hosts"package manager early specific hook
anchor "packageearly"
carp
anchor "carp"
SSH lockout
block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"
table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"
antispoof for rl0allow our DHCP client out to the WAN
anchor "wandhcp"
pass in on $WAN proto udp from any port = 67 to any port = 68 label "allow dhcp client out WAN"
pass out on $WAN proto udp from any port = 68 to any port = 67 label "allow dhcp client out WAN"Not installing DHCP server firewall rules for WAN which is configured for DHCP.
antispoof for xl1
allow access to DHCP server on LAN
anchor "dhcpserverLAN"
pass in on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in on $LAN proto udp from any port = 68 to 192.168.1.1 port = 67 label "allow access to DHCP server"
pass out on $LAN proto udp from 192.168.1.1 port = 67 to any port = 68 label "allow access to DHCP server"
anchor "spoofing"loopback
anchor "loopback"
pass in on $loopback all label "pass loopback"
pass out on $loopback all label "pass loopback"anchor "firewallout"
let out anything from the firewall host itself and decrypted IPsec traffic
pass out all keep state label "let out anything from firewall host itself"
make sure the user cannot lock himself out of the webConfigurator or SSH
anchor "anti-lockout"
pass in quick on xl1 from any to (xl1) keep state label "anti-lockout rule"NAT Reflection rules
User-defined rules follow
pass in quick on $WAN reply-to ( rl0 84.234.185.1 ) proto tcp from any to 192.168.1.113 port = 6667 label "USER_RULE: NAT deppa-irc"
pass in quick on $WAN reply-to ( rl0 84.234.185.1 ) proto tcp from any to 192.168.1.113 port = 80 label "USER_RULE: NAT deppa-web"
pass in quick on $WAN reply-to ( rl0 84.234.185.1 ) proto tcp from any to 192.168.1.113 port = 25 label "USER_RULE: NAT deppa-smtp"
pass in quick on $WAN reply-to ( rl0 84.234.185.1 ) proto tcp from any to 192.168.1.113 port = 110 label "USER_RULE: NAT deppa-pop3"
pass in quick on $WAN reply-to ( rl0 84.234.185.1 ) proto tcp from any to 192.168.1.113 port = 22 label "USER_RULE: NAT deppa-ssh"
pass in quick on $WAN reply-to ( rl0 84.234.185.1 ) proto { tcp udp } from any to 192.168.1.119 port = 56035 label "USER_RULE: NAT terje-torrent"
pass in quick on $LAN from 192.168.1.0/24 to any keep state label "USER_RULE: Default allow LAN to any rule"
pass in quick on $WAN reply-to ( rl0 84.234.185.1 ) proto tcp from any to 192.168.1.113 port = 80 label "USER_RULE: NAT deppa-www"
pass in quick on $WAN reply-to ( rl0 84.234.185.1 ) proto { tcp udp } from any to 192.168.1.113 port = 53 label "USER_RULE: NAT deppa-dns"
pass in quick on $WAN reply-to ( rl0 84.234.185.1 ) proto { tcp udp } from any to 192.168.1.141 port = 3306 label "USER_RULE: NAT technot-mysql"
pass in quick on $WAN reply-to ( rl0 84.234.185.1 ) proto { tcp udp } from any to 192.168.1.141 port 16880 >< 16892 label "USER_RULE: NAT technot-utorrent"VPN Rules
package manager late specific hook
anchor "packagelate"
anchor "limitingesr"
uPnPd
anchor "miniupnpd"</virusprot></virusprot></sshlockout></snort2c></snort2c></snort2c></sshlockout>
-
Everything is OK.
-
even so, unchecking the "disable nat reflection", results in no nat at all :\
(without the dns split tho..)
any ideas?
-
You have the nat rules there from what you posted so i will not comment any further.