Nat reflection stops working after modem reboot

jimp

Does it start working if you press Save on System > Advanced, on the Firewall/NAT tab?

Also you don't mention what version of pfSense you're running.

josh4trunks

PFSense 2.0.1 64 bit
I tried enabling/diabling "Disable NAT Reflection for port forwards" and saving each time and there was no change.

From my lan, an nmap port scan of my wan ip shows the ports as open (so firewall isn't working)
But it can't guess protocal so it isn't correctly doing the port forward for people on lan

I think this means nat reflection somehow stopped working, is there a way to restart just the pfsense service without rebooting my pfsense box?

jimp

Pressing save on the Firewall/NAT tab should have restarted NAT reflection. The only thing it wouldn't do is kill any states that were using NAT reflection.

Check /tmp/rules.debug for any sign of your old IP, and the states table also.

josh4trunks

I see a rules.debug and rules.debug.old they seem to be identical. I can diff them if you think I could find something in there. Also my WAN IP never changed. When my modem rebooted it just confuses my PFSense box for a bit (saying WAN IP = 192.168.100.1) but then it reverts back to what it usually is.

jimp

Not sure what could be going wrong there then - are your internal clients trying to connect to the external (public) IP? If that isn't your WAN IP, then pfSense's NAT reflection may not be to blame, it could be something in the modem not working right.

josh4trunks

not sure the difference between public and wan ip. We've tried domains that resolve to my wanip, and just my strait wan it. nmap from lan show the ports are open, but can't do any scanning past that. nmap from wan works as expected.

tonight I will try a modem reboot, test, then try a pfsense reboot, and test. I'll post the results.

jimp

From the sound of it you have a setup like this:

public IP -> Modem -> pfSense WAN 192.168.100.1 -> pfSense -> LAN

Clients on the LAN connecting to your public IP would be trying to contact the modem. pfSense wouldn't be involved at that stage.

NAT reflection on pfSense is only in effect when the clients connect to the WAN IP of pfSense. Which they might in a roundabout way in your setup, but that isn't the way NAT reflection usually works.

I'd suspect something in your modem broke.

josh4trunks

check the attachment

I'll check stuff on my modem tonight. Thanks for the help!

![Screenshot at 2012-02-07 13:13:55.png](/public/imported_attachments/1/Screenshot at 2012-02-07 13:13:55.png)
![Screenshot at 2012-02-07 13:13:55.png_thumb](/public/imported_attachments/1/Screenshot at 2012-02-07 13:13:55.png_thumb)

jimp

Ah but you said earlier "WAN IP = 192.168.100.1" so it threw me off.

I have seen some other issues come up when a cable modem flip-flops the IP like that

josh4trunks

ahh sorry bout that, lol. K well I restarted my modem, no change. Restarted my Pfsense box and I can get to my local service using my wan IP again. Though, I could always get to PFSense Webgui / SSH, but they don't require nat