NAT Reflection not working

jimp

uncheck the first box, and set the per-rule nat reflection option back to default.

If the per-rule option is broken in some way, then setting it to anything but default is probably going to break.

jimp

I just tried a test port forward on a 2.0.3 VM I have here and it worked fine… I can enable it on a per-rule basis or global and it works every time.

You might upgrade to make sure it isn't something that was broken in 2.0.2.

http://forum.pfsense.org/index.php/topic,58203.0.html

astickland

Hi,

Thanks for the response.

I have upgraded to the 2.0.3 pre-release firmware, deleted and then recreated the rule but still no better as far as I can tell.

Can you post or PM me the entries that I should be expecting to see in the rules.debug and inetd.conf files so I can check my settings?

Thanks
Andrew

jimp

For a WAN port forward going to 123.123.123.162:1234 (on my test VM's LAN subnet)

: cat /var/etc/inetd.conf 
tftp-proxy      dgram   udp     wait            root    /usr/libexec/tftp-proxy tftp-proxy -v
19000   stream  tcp     nowait/0        nobody  /usr/bin/nc     nc -w 2000 123.123.123.162 1234

: grep 1234 /tmp/rules.debug 
rdr pass on em0 proto tcp from any to 10.20.30.40 port 1234 -> 123.123.123.162
rdr on { em1 enc0 openvpn } proto tcp from any to 10.20.30.40 port 1234 tag PFREFLECT -> 127.0.0.1 port 19000

Waco1

This might be related:

2.0.2-RELEASE (amd64)
built on Fri Dec 7 22:39:43 EST 2012
FreeBSD 8.1-RELEASE-p13

NAT reflection comes and goes for me. Sometimes it works, then it will stop. A reboot sometimes fixes it.

Client has a /29 WAN for the usual 6 IPs, plus another 12 aliases, and forward lots of ports. NAT reflection is important.

I added DNS aliases for all the external services, and that mitigates the worst of the problems, but that's a tacky - even cheesy - solution.

I'm not sure what to look for in diagnosing this.

Supermule

http://forum.pfsense.org/index.php/topic,58581.0/topicseen.html

Supermule

Is people seeing this on 32bit builds as well?

astickland

Thanks for the info - unfortunately, whatever I do the rules are simply not getting set up therefore NAT Reflection doesn't even get a chance to start.

Weird!!

astickland

OK, the firewall instances I am trying to get working reside in a Virtual Data Centre and are deployed from Release images of pfsense 2.0 and use DHCP for the allocation of WAN IP addresses.

On the chance that creation of the NAT Reflection entries was being prevented by the DHCP setting, I switched on of the firewalls to use a static IP address.

No better - and I rebooted just in case :(

So, other than the settings under System -> Advanced & not using 'enabled' on the NAT rule itself, what else can prevent this being set up?

Digging into the source code, it looks as thought the culprit might be in filter_get_reflection_interfaces() because the WAN interface I am applying the rule to has a Gateway - or am I barking up the wrong tree?

Waco1

Count the number of forwards you're doing, especially including port ranges.

Make sure the total is less than 500.

That was my problem (RTP port range for Jabber = 10,000 forwards, all set for "System Default" reflection). It's rock-solid now.