Nat Outbound

pa-k

Hi,

I've got a cluster.
I've got various subnets (192.168.0.0/16 ) cut with vlans (e.g. 192.168.x.0/24).
I've defined two VLANs on one specefic interface : vlan2 and vlan3
vlan2 : 192.168.2.0/24
vlan3: 192.168.3.0/24

wan-carp : x.y.z.1
dmz-carp: 192.168.4.4
vlan2-carp: 192.168.2.2
vlan3-carp: 192.168.3.3

vlan2 is the Admin VLAN.
vlan3 is mapping as the LAN.

In the NAT Outbound, i've defined the following rules :

Interface Source     Source Port  Destination Destination Port NAT Address NAT Port Static Port  Description
WAN         192.168.0.0/16          *           *                  *          x.y.z.1        *                   NO           Use WAN-CARP
WAN         127.0.0.0/8               *           *                  *          x.y.z.1        1024:65535     NO           Use WAN-CARP for localhost
vlan2        192.168.2.0/24          *           *                  *          192.168.2.2        *                   NO           Use vlan2-CARP
vlan3        192.168.3.0/24          *           *                  *          192.168.3.3        *                   NO           Use vlan3-CARP
dmz          192.168.4.0/24          *           *                  *          192.168.4.4        *                   NO           Use DMZ-CARP

My question is for the rules of the NAT of Outbound of the vlan2,vlan3, and DMZ interface :
Should i correct the source of the subnet e.g. the LAN
192.168.3.0/24 -> 192.168.0.0/16 ?

Is there any error in the NAT Outbound rules ?

Thank you in advance for your help.

Peace.

pa-k

In this config, one server on the DMZ can not reach a ssh connexion to a remote server on the internet area…

ssh_exchange_identification: Connection closed by remote host

From the pfsense master, i can connect to the remote server without problem…

Any idea about my Nat Outbound problem ?

Thank you in adavance for any suggestion.

pa-k

I deleted these three rules on the NAT Outbound :

vlan2        192.168.2.0/24          *          *                  *              192.168.2.2          *                  NO          Use vlan2-CARP
vlan3        192.168.3.0/24          *          *                  *              192.168.3.3          *                  NO          Use vlan3-CARP
dmz          192.168.4.0/24          *          *                  *              192.168.4.4          *                  NO          Use DMZ-CARP

pa-k

@pa-k:

In this config, one server on the DMZ can not reach a ssh connexion to a remote server on the internet area…

ssh_exchange_identification: Connection closed by remote host

From the pfsense master, i can connect to the remote server without problem…

Correction :
From the LAN and the DMZ, i can not access to a server on the internet by the ssh port with the cluster of pfSense although i can from anywhere else (e.g. from my home)…
The same error although the rules are opened on the LAN and the DMZ :

ssh_exchange_identification: Connection closed by remote host

What could be the problem here ?!?

The tcpdum from DMZ and LAN are almost the same, the traffic can not go out… :

16:48:29.157536 IP 192.168.4.42.10.55162 > 42.42.42.42.22: tcp 0
16:48:29.160836 IP 42.42.42.42.22 > 192.168.4.42.55162: tcp 0
16:48:29.177688 IP 192.168.4.42.55162 > 42.42.42.42.22: tcp 0
16:48:34.194287 IP 42.42.42.42.22 > 192.168.4.42.10.55162: tcp 0
16:48:34.221315 IP 192.168.4.42.10.55162 > 42.42.42.42.22: tcp 0
16:48:34.224327 IP 42.42.42.42.22 > 192.168.4.42.10.55162: tcp 0