MUTLI WAN & NAT ??? [SOLVED - Reply#10]
-
That still suggests your rules do not get reply-to for some reason. As above, the usual suspects are:
- Using "pass" on port forwards (rdr pass does not support reply-to, so that can't ever work, not something we can change)
i used pass and no RDR ( The checkbox is unchecked) - Not selecting a gateway on the Interface page for both WAN and WAN2 if using a static IP (this will make the firewall fail to fully treat the interface as a WAN, and skip reply-to)
I have set a gateway for the static and none for the dhcp (will choose it on his own) - Checking the box in the advanced options to disable reply-to (Which, as the option implies, removes reply-to from rules)
No, xD. With Wan2 as default it works…
Post the full contents of config.xml (you can remove keys/passwords) and a copy of /tmp/rules.debug.
If you choose to obscure IP addresses, leave enough to distinguish them (e.g. last octet), and do not remove them entirely.
I will it post later, not at home right at the moment
- Using "pass" on port forwards (rdr pass does not support reply-to, so that can't ever work, not something we can change)
-
If you used "pass" on the port forward, it will not work with any non-default route WAN, and it can't work with "pass".
Change that to "add associated firewall rule" and then save/apply the port forward. Do that for every port forward you have that uses 'pass'
-
If you used "pass" on the port forward, it will not work with any non-default route WAN, and it can't work with "pass".
Change that to "add associated firewall rule" and then save/apply the port forward. Do that for every port forward you have that uses 'pass'
Sry I was not accurate enough. I used pass in the Firewall rule, not block and not reject.
BTW: add associated firewall rule is the default setting, when you create a NAT rule.
-
I'll still need to see the config.xml and /tmp/rules.debug. A screenshot of that doesn't tell me enough about what it's doing in the background.
-
Hey Jim, Ok I fully understand and now agree with you.; I just got in from a 14 hour shift and have been dealing with recovery of failed modules and stacks we had go down lastnight. I am very tired and do not think I can put my full 100% into this right at this moment. I will grab a copy of my current config, but just to note this is a working copy. I would like to get a 'not' working copy to you also. I would love to do the comparison by my self also, The more I think about it without actually doing it is just racking my brain and have also thought about what you said and you are correct, it very well could be a PFSense configuration issue. From a networking perspective I do know that default route could of been causing the issue. But enough guessing , I will upload a working config today to get you started and I cant promise tomorrow night when I get in from work since I'm sure I will still be swamped at work. But when I get up Monday, I will completely re-install from 2.0.1 -> upgrade to 2.0.2 and cause my same issue.
and on a note of multiple users, I have people that I know in person and I have read 1 more post on another site. It was no help, but I will try and find that again for you.
-
Here is my raw config.xml & /tmp/rules.debug
http://m37offroading.ca/PFSENSE/config.xml
http://m37offroading.ca/PFSENSE/rules.debug
I have also uploaded them on the redmine post. I will get you copies of the failed config.xml and rules.debug by Monday.
-
FYI- You only have the port forward in there once. It should be in there twice (once for each WAN). The WAN rules look OK though.
rdr on nfe0 proto tcp from any to 24.212.178.88 port $Cloud -> $Server pass in log quick on $THOMSONWAN reply-to ( re0 198.84.211.65 ) proto tcp from any to $Server port $Cloud flags S/SA keep state label "USER_RULE: Allow Server to Cloud on ThomsonWAN" pass in log quick on $MOTOROLAWAN reply-to ( nfe0 24.212.178.65 ) proto tcp from any to $Server port $Cloud flags S/SA keep state label "USER_RULE: Allow Server to Cloud on MotorolaWAN" -
I saw port forwards for each. However, was it your intention to have your port forwards use two IP addresses for the redirect target IP? (10.10.10.20 and 10.10.10.30) I think using an alias with two (or more) addresses in it like that will make the forwarding cycle through the addresses in the alias on each connection attempt, using a different one each time.
-
? How could it only be in there once if NAT is working right now on both IP's, and yes. That example that server runs quad NIC's , the 2 there are used for public traffic.
-
So here we go.
This is a RAR with a Working Config and a RAR with a non working config.I send the password over PM to relevant People, because i dont know that i delete all passwords (or change them in the file to FFF/111)
http://www.marv21.de/RouterConfig.rar
-
? How could it only be in there once if NAT is working right now on both IP's, and yes. That example that server runs quad NIC's , the 2 there are used for public traffic.
Hmm I must have overlooked it, but now the rules.debug file is 404 so I can't check it again. Though Efonne is right about using multiple IPs in the target of a port forward. It will do round-robin connection alternating, it can't forward the same port to both systems and work for both at the same time.
And if you really want to do load balancing, use the load balancer, not a port forward, since a port forward with two entries would not be smart enough to remove a down host from the pool when it's not in use so half the connections would just fail. -
So here we go.
This is a RAR with a Working Config and a RAR with a non working config.I send the password over PM to relevant People, because i dont know that i delete all passwords (or change them in the file to FFF/111)
http://www.marv21.de/RouterConfig.rar
In your "don't work" folder the config.xml has two GW_WAN entries, but otherwise I don't see anything there that looks obviously out of place upon first glance. The rules have reply-to, so the default gateway shouldn't matter for items hitting the port forward. Though one of your WANs is getting double NAT, so that doesn't help, but it shouldn't interfere. USB nics (your ue0) are crappy in general but shouldn't affect it either.
I see you completely reconfigured the two NICs between those two configs, swapping them between "wan" and "opt1". So as it currently is, does the port forward still only work on one WAN? Or does it work on both now?
-
With the "work not" config only the default Gateway works ( in this config the UM WAN ( the dynamic)).
AT all iam fine, i swaped the assignment of the WAN1 and WAN2 (em0 and ue0) and everything is ok.
Maybe i forgot to delete a Wan entrie (if i swaped the assignment there a two dynamic Gateways for UM), but i correct that, but i doenst help.
-
Hey, Sorry not sure why it was deleted. It's back on same version. Ok I understand to use load balance if I was going to load balance against 2 web servers to a single nat ip.. but this is not what I am doing or my problem at that.
my problem is that the multi wan wont nat , even if I have 1 ip of the servers , so forget " dual server ips ". I still have issues with it allowing nat out on the port. this should work…correct ?
-
Hey, Sorry not sure why it was deleted. It's back on same version. Ok I understand to use load balance if I was going to load balance against 2 web servers to a single nat ip.. but this is not what I am doing or my problem at that.
my problem is that the multi wan wont nat , even if I have 1 ip of the servers , so forget " dual server ips ". I still have issues with it allowing nat out on the port. this should work…correct ?
BAD Question, but… Are u trieing it from the outside of your LAN?
-
of course ;)
