PFSense 2.1 Release - NAT Reflection not working
-
Just tried that but still no good.
-
Question - Did you ever have this working before?
-
No, I started with 2.1 RC (I am new to PFSense) and it didn't work. I hoped the Release version would fix it but it didn't.
-
If you go into a command tool somewhere and type:
telnet smtp.aol.com 25
What happens?
-
It waits then times out, same as when I try to test my port-forward using the external address when inside the network (NAT Reflection).
-
You port 25 is blocked by ISP I think.
I think you are wasting your time, but to be sure, try to check against more mail servers.
-
At the moment the ISP is blocking the port (getting that fixed with ISP shortly), but that is not the point. I am trying to access my internal server via my External address. This should not use the ISPs network, just my internal network, and my PFSense router.
I should also mention that I am having this problem with NAT Reflection with other ports that have the same configuration but are not blocked by my ISP. I have an exchange server with active sync setup. My cell phone can access my email server when using the cell network but if I am onsite connected to wireless then I can no longer connect to my server. So the problem does appear to be caused by NAT Reflection not working.
-
I'm not sure - Thing is it works perfectly for me and most people so I'm thinking ite something unique to either your network, host, or something.
Is this a real machine? VM?
-
It is a VM. One other thing I should mention is that the LAN side is a /24 network but has a route to additional subnets that are reachable through it. So it looks like this:
WAN Side –--- PFSense -----LAN Network-----Router----Other Subnets including DMZ
The router will allow the packets to come in from the pfsense box and allows the packets from the server subnet to the PFSense box so it is not blocking anything. The only thing I can think of is that I either have a setting wrong in PFSense or perhaps the NAT Reflection only allows packets to or from the actual LAN network and not the subnets beyond it like the DMZ. If that is the case, is there a workaround or setting change I can make so that it will work the way I want.
Note: Before I switched to PFSense, I used a WRT54GL running DD-WRT with the same setup and it worked fine as long as I turned on NAT Reflection. When I had NAT Reflection off on the DD-WRT I had the same problems I have now with PFSense. I didn't make any other changes to the switches or routers, just swapped out the WRT54G with a PFSense VM.
-
I don't have the answer for that one. Is your current version of pfsense 64 bit?
-
Yes, 64-bit. I also did another test and enabled the Windows 7 Simple TCP/IP Services so that I would get a "quote of the day" if I telnet to port 17 then setup a port-forward and enabled the NAT-Reflection. I can get to that port from outside the network and from inside the network using the internal IP address but still cannot get to it from inside via the External IP. so I know for sure the ISP has nothing to do with it. I also tried putting the Windows machine on the actual LAN subnet and tested again but it still does not work (ruling out the router and additional subnets).
-
Please backup your settings, download the 32bit version install it, restore your settings and try all the same things again.
This is an experiment. I've encountered several recent examples of things working fine in 32bit but not in 64bit.
Please humour me. -
Tried 32-bit version, still did not work.
-
Well - Thats good, for 64bit version anyway.
I really don't know at this point. Question.
Can you post your firewall rules for the WAN and LAN?
(Never mind - I'm an idiot. I see them)
-
I've seen that gateways have been renamed or changed mysteriously upon upgrade by some.
In one case it just killed his RRD data.In another case the gateway inserted its self into the openvpn and WAN firewall rules.
Could some sort of gateway rename/change/insertion have happened to you?
I'm reaching…
-
The gateways all seem to be OK. Is there a specific thing I should check? I had this problem before the upgrade as well and that was a new install.
-
As you said earlier, it may be a problem with the way you configured your DMZ. I'm out of swags at this point.
Thats the old Scientific Wild-Ass Guess
or in my case the Super Wild-Ass GuessNot the new urban dictionary hijacked swag.
-
Is it possible to have remote access to the thing?
-
No, sorry.
-
You can use teamviewer to remote in if its installed on a connected computer.