NAT with Pfsense 2.0Beta4

biatche

i can confirm something is not right about multi wan NAT

opt1.modem.ip=192.168.202.1 [modem dmz set to 192.168.202.254]
opt1.interface.ip=192.168.202.254

i setup this NAT rule: OPT1  TCP/UDP  *  *  OPT1 address  26001  192.168.0.11  26001

utorrent is on 26001.

went to http://www.yougetsignal.com/tools/open-ports/ to do a port test. says port is closed.

hooked up a test pc and attached modem directly to pc. loaded up utorrent. did port test. says port is open.

tacfit

I'm seeing the same thing on releases since late October. NAT is working fine on my default gateway, but not on any of the OPT interfaces. So Multi-WAN NAT seems a bit busted at present.

sullrich

This was fixed yesterday.  Try todays snapshot.

Phobia

Hey there,

I'm running :

2.0-BETA4 (i386)
built on Wed Nov 3 02:54:06 EDT 2010
FreeBSD 8.1-RELEASE-p1

… and can confirm that my NAT issues related to this issue appear to have been resolved.

Also, the rule I have on each WAN interface allowing SSH access on a non-standard port (not NAT - just a straight forward PASS rule) is also now working.

-- Phob

biatche

2.0-BETA4 (i386)
built on Wed Nov 3 02:54:06 EDT 2010
FreeBSD 8.1-RELEASE-p1

updated to the above. same problem. fine on WAN1, not OPT1 - same nat/rules rules.
how can i diagnose this?

[2.0-BETA4][root@rixgate.rix]/root(8): tcpdump -i em0 tcp port 26066
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes
09:33:23.778426 IP www.no-ip.com.40436 > 192.168.0.11.26066: Flags [s], seq 1401554251, win 5840, options [mss 1460,sackOK,TS val 409248447 ecr 0,nop,wscale 7], length 0
09:33:23.778528 IP 192.168.0.11.26066 > www.no-ip.com.40436: Flags [S.], seq 573006331, ack 1401554252, win 8192, options [mss 1460,sackOK,TS val 52097064 ecr 409248447], length 0
09:33:24.453092 IP 192.168.0.11.26066 > www.no-ip.com.40318: Flags [R], seq 208309969, win 0, length 0
09:33:26.776633 IP www.no-ip.com.40436 > 192.168.0.11.26066: Flags [s], seq 1401554251, win 5840, options [mss 1460,sackOK,TS val 409251447 ecr 0,nop,wscale 7], length 0
09:33:26.779519 IP 192.168.0.11.26066 > www.no-ip.com.40436: Flags [S.], seq 573006331, ack 1401554252, win 8192, options [mss 1460,sackOK,TS val 52097364 ecr 409248447], length 0
09:33:32.780504 IP 192.168.0.11.26066 > www.no-ip.com.40436: Flags [S.], seq 573006331, ack 1401554252, win 8192, options [mss 1460,sackOK,TS val 52097964 ecr 409248447], length 0
^C
6 packets captured
1634 packets received by filter
0 packets dropped by kernel
[2.0-BETA4][root@rixgate.rix]/root(9): tcpdump -i nfe1 tcp port 26066    
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on nfe1, link-type EN10MB (Ethernet), capture size 96 bytes
09:33:49.843386 IP www.no-ip.com.40576 > 192.168.202.254.26066: Flags [s], seq 1422382543, win 5840, options [mss 1460,sackOK,TS val 409274479 ecr 0,nop,wscale 7], length 0
09:33:52.895297 IP www.no-ip.com.40576 > 192.168.202.254.26066: Flags [s], seq 1422382543, win 5840, options [mss 1460,sackOK,TS val 409277479 ecr 0,nop,wscale 7], length 0
^C
2 packets captured
1554 packets received by filter
0 packets dropped by kernel
[2.0-BETA4][root@rixgate.rix]/root(10): 

em0 = lan
nfe1 = opt1

so...the server received and responded but response never arrived on opt1\. why? what have i missed?

[code]
Port forward rule:
OPT1   	 TCP  	 *  	 *  	 OPT1 address  	 26066  	 192.168.0.11  	 26066

Outbound rule:
OPT1    	 192.168.0.0/24  	 *  	 *  	 *  	 *  	 *  	YES	LAN to OPT1  

FW rule:
TCP  	 *  	 *  	 192.168.0.11  	 26066  	 *  	 none
[/code][/s][/s][/s][/s]

tacfit

Working for me too. Thanks a lot Scott!

kazibole

I'm having an issue with NAT, not sure if it is the same one as the people here. I am running the latest snapshot:

2.0-BETA4 (i386)
built on Thu Nov 4 01:22:43 EDT 2010
FreeBSD 8.1-RELEASE-p1

I've got one WAN interface and 3 LAN interfaces. I set up two NAT rules with Pass as the option. One for SIP (UDP 5060) and one for RTP (UDP 10000 - 20000). One issue is that when I do a packet capture on my WAN interface, I can see RTP packets in the range 10000-20000 come in, but when I do another capture on the LAN interface, I don't see them forwarded to my host. I am also having intermittent issues with the SIP port not always registering. Haven't dug too deep on this one, but I suspect that not all packets are getting forwarded to my host.

biatche

I don't fully get.. does sound similar to mine…

(public initiates) [modem] -> [opt1] -> [lan] all ok!
[lan] (packet received and responses fine) -> [opt1] (!! never received outgoing packet from lan.) -> [modem]

f0dei

Hi,

On my side with 2.0-BETA4 (i386) built on Wed Nov 3 02:54:06 EDT 2010 Can connect now but not every time.
Since this update it work better than previous version but not every time  ???

Always OK if I use only modem without pfSense.

This night I have instaled monowall to check if it working or not and make few test, now I can connect to my server.
Something is broken in pfSense. I test the NAT and port forward and it's not working on my side (with v 1.23 and latest v2)

All work great with monowall if I put the same rules

I hope this problem will be resolved in future releases (I like pfSense)

Cheers

biatche

Can anybody confirm these issues or if I'm doing something wrong? I really wanna stay on pfsense and not move to anything else….

i need NAT on opt1 :(