CARP NAT rules not working

jonesr

Hi all, I'm not sure where this should go but I hope somebody can help.

I had a setup working fine, using CARP to enable NAT from multiple WAN IPs to a few internal email servers, with a simple dual-homed WAN-LAN system.

Now I have set up a router-on-a-stick VLAN configuration and no port forwarding rules seem to be working, even on the first WAN address (please correct me if I am wrong, but I understand CARP VIPs are used to listen for second, third etc public IP addresses from the WAN interface, amongst other things, so the 'first' IP address should be a simple WAN->LAN rule?). I have double checked VLAN memberships, IP addresses and deleted/recreated NAT and firewall rules to confirm. A packet capture sees packets arriving on the WAN but nothing on the LAN side.

Other info:

There are three internal VLANs, but the servers in question are on the LAN interface
pfSense 2.0 amd64
Physical NIC is re0

Any help is appreciated. I already googled, and RTFM'd - an excellent book BTW, I wasted a day trying to work out VLANs on pfSense, I solved my problem after reading 2 paragraphs of the manual.

Thanks in advance.

cmb

If you see it on WAN and not LAN, then either your port forward is wrong, you don't have an associated firewall rule to permit the traffic, you have a block rule that's blocking it, or the internal host isn't reachable.

jonesr

Thank you for the advice,

This is one of my rules for the WAN->LAN (standard, first WAN IP to LAN IP, not one of the additional CARP WAN addresses):

WAN TCP * * LAN address 25 (SMTP) 192.168.0.2 *

I have recreated the NAT rule, and the firewall rule was automatically created. The only block rules are these:

The default Private/BOGON rules on the WAN

The two OPT interfaces I created both have the following rule

• • • LAN net * * none

pfSense can ping the host from the LAN interface.

If any of that looks wrong to you I would appreciate any help, thanks again.

cmb

"LAN address" is almost definitely wrong, that should be the actual public IP.

jonesr

Really? if it is that simple I hope you are right. But just to be sure we are on the same page I'll be more clear about the rule:

This is from the Firewall: NAT: Port Forward page

If = WAN

Proto = TCP

Src. addr = *

Src. ports = *

Dest. addr = LAN Address

Dest. ports = 25 (SMTP)

NAT IP = 192.168.0.2

NAT Ports = *

If this relates to the WAN interface, I assumed the destination would be the IP of the mail server and the source would simply be WAN.

Bear with me, I will provide a screenshot when I am on another PC.

edit: added screenshot

jonesr

cmb,

I went back to the book, and learned quite a bit. I was misunderstanding the options in the rules setup, thank you for giving me a direction to look in, I have it working now.

In the end I had a look through the firewall logs and saw the 'easy setup' option to create an allow rule and followed the syntax. I didn't realize the feature was there, I'll remember next time.