1:1 NAT fails - local server looses internet access
-
Hello,
I'm having difficulties narrowing down the problem I'm with one of the IPs on my firewall (pfSense 2.2.2). Few of my available public IPs are configured on my firewall with 1:1 NAT and proper firewall rules and they work properly. I attempted to use one of the available IPs for a new local server and configured pfSense as I did with the previous IPs. So what I did is (X.Y.Z.245 is the public IP I'm attempting to configure):
- Added a Virtual IP as IP Alias X.Y.Z.245/28
- Added a 1:1 NAT mapping rule on the WAN interface: External subnet IP X.Y.Z.245; Internal IP: 192.168.1.110
- Added a WAN rule to allow anything with destination 192.168.1.110, protocol any (which allows everything, including icmp and http)
(After doing these steps I lost internet connectivity on my local server 192.168.1.110) - Added a Outbound NAT rule to translate 192.168.1.110 to X.Y.Z.245
Pinging the local server from the firewall works fine so after these steps I tested pinging the public IP from outside and I didn't get any responses as expected.
I went through these documents and made sure I have everything needed.
https://doc.pfsense.org/index.php/1:1_NAT
https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses
I used pfctl to see the actual rules and verified them with success.Is there something I missed?
I'm looking for some help/guidance in further steps to narrow down this problem - any input is appreciated. Thank you! -
Nothing in the firewall log (Status - Systems logs - Firewall) showing as being blocked between your test client and the server?
-
Check Diag>States, it getting translated correctly? If so, packet capture on WAN filtered on that VIP, what's that show? Probably the traffic leaving and nothing coming back, which means the IP is used somewhere else maybe, or that you formerly had it used somewhere else and your upstream ARP cache needs cleared (reboot modem/router if applicable, otherwise may have to contact ISP).
-
Hello! Thank you for all your replies!
KOM,
I checked System Logs -> Firewall but have not found any block (or allow) indications.
I have also enabled logging on the rules and re-check - I haven't found related traffic records.cmb,
I checked states (results below) and it looks like it gets translated correctly.WAN1_CC tcp X.Y.Z.245:56581 (192.168.1.110:56581) -> IP.IP.142.197:80 SYN_SENT:CLOSED WAN1_CC tcp X.Y.Z.245:58541 (192.168.1.110:58541) -> IP.IP.31.1:80 SYN_SENT:CLOSED WAN1_CC tcp X.Y.Z.245:56000 (192.168.1.110:56000) -> IP.IP.47.19:80 SYN_SENT:CLOSED WAN1_CC tcp X.Y.Z.245:56584 (192.168.1.110:56584) -> IP.IP.142.197:80 SYN_SENT:CLOSED WAN1_CC tcp X.Y.Z.245:56002 (192.168.1.110:56002) -> IP.IP.47.19:80 SYN_SENT:CLOSED WAN1_CC tcp X.Y.Z.245:58545 (192.168.1.110:58545) -> IP.IP.31.1:80 SYN_SENT:CLOSED WAN1_CC tcp X.Y.Z.245:56004 (192.168.1.110:56004) -> IP.IP.47.19:80 SYN_SENT:CLOSED
Packet capture didn't show any packets while I was pinging X.Y.Z.245 and trying to browse via HTTP.
I already have rebooted pfsense before but I will do it again and reboot Comcast modem as well - I will update tomorrow with results per this check.
This IP was used only on that firewall before but might be assigned to some other IP before, then removed, then re-added - not sure if this may leave some leftovers somewhere(?).In the meantime - any further suggestions appreciated. Thank you!
-
Ah cable. Yes, reboot the modem for sure. Any add/change of IPs requires a modem power cycle most of the time. If you saw nothing coming in, the modem isn't sending it to you. Your NAT looks correct from the states and you're passing the traffic since those exist.
-
Hello,
Thank you for your time and replies to this matter.
Back to the case. I verified if all rules are correct, restarted our modem, restarted pfsense - still getting the same behavior.
Checked states - translation is correct
Packet capture - again no packets incoming to this IP, I noticed that at least one more IP from my subnet is showing the same behavior, other IPs are responding correctly.I configured one of the IPs that is responding correctly as my 1:1 NAT translation, added firewall rules - my 1:1 NAT setup worked right away.
Some IPs work and some not. My ISP's customer care told me that everything seems to be ok on their end - Is there any way to verify this?
# Show Firewall Rules: pfctl -sr # Show NAT rules pfctl -sn
Are there any other commands I could verify my rules actually exists on pfSense? (I wonder how to list virtual IP's from command line?)
Any other suggestions are welcome.
-
Packet capture - again no packets incoming to this IP, I noticed that at least one more IP from my subnet is showing the same behavior, other IPs are responding correctly.
Where you see nothing at all for that IP in a packet capture on WAN, not even ARP requests, it's a problem with your modem most often with cable, otherwise something to do with your ISP. If the VIP weren't actually configured or triggering an ARP response for some reason, you'd see repeated incoming ARP requests on WAN "who has x.x.x.x" for the IP in question, with no replies, when you're sending traffic in from the Internet to that destination IP. No point in digging into the VIP when there is nothing at all for that IP on WAN, as you know 100% for sure the problem is upstream.
-
Hi Arci,
I was curious : it's my first attempt fiddling with VIPs and 1:1 NAT on pfSense (2.2.3) and I can't seem to make it work!
Have you figured it out yourself? Maybe we can help each other…
Thanks!
Hello,
Thank you for your time and replies to this matter.
Back to the case. I verified if all rules are correct, restarted our modem, restarted pfsense - still getting the same behavior.
Checked states - translation is correct
Packet capture - again no packets incoming to this IP, I noticed that at least one more IP from my subnet is showing the same behavior, other IPs are responding correctly.I configured one of the IPs that is responding correctly as my 1:1 NAT translation, added firewall rules - my 1:1 NAT setup worked right away.
Some IPs work and some not. My ISP's customer care told me that everything seems to be ok on their end - Is there any way to verify this?
# Show Firewall Rules: pfctl -sr # Show NAT rules pfctl -sn
Are there any other commands I could verify my rules actually exists on pfSense? (I wonder how to list virtual IP's from command line?)
Any other suggestions are welcome.
-
Maybe we can help each other…
Start your own thread with your particular details instead of hijacking this old thread.
-
@KOM:
Maybe we can help each other…
Start your own thread with your particular details instead of hijacking this old thread.
Maybe you're right but I usually don't consider a less-than-1-month-old thread as an old one, adding the fact it isn't masked as solved…
-
@cmb:
Where you see nothing at all for that IP in a packet capture on WAN, not even ARP requests, it's a problem with your modem most often with cable, otherwise something to do with your ISP. If the VIP weren't actually configured or triggering an ARP response for some reason, you'd see repeated incoming ARP requests on WAN "who has x.x.x.x" for the IP in question, with no replies, when you're sending traffic in from the Internet to that destination IP. No point in digging into the VIP when there is nothing at all for that IP on WAN, as you know 100% for sure the problem is upstream.
Hello Community,
I know this is an almost a year old thread but we never got it resolved unfortunately.
As cmb suggested, it might have been an issue with the provider's modem but we were able however to test these IP addresses when connected directly to Comcast modem and all of them worked fine. As opposite to what we can use on pfsense:
Here is a list of which IPs work and which doesn't:
xx.xx.xx.241/28 - pfsense WAN
xx.xx.xx.242/28 - WORKS
xx.xx.xx.243/28 - DOESN'T WORK
xx.xx.xx.244/28 - WORKS
xx.xx.xx.245/28 - DOESN'T WORK
xx.xx.xx.246/28 - DOESN'T WORK
xx.xx.xx.247/28 - DOESN'T WORK
xx.xx.xx.248/28 - DOESN'T WORK
xx.xx.xx.249/28 - WORKS
xx.xx.xx.250/28 - WORKS
xx.xx.xx.251/28 - WORKS
xx.xx.xx.252/28 - WORKS
xx.xx.xx.253/28 - DOESN'T WORK
xx.xx.xx.254/28 - Comcast GatewayAs stated above, there is no incoming packets when checked by Packet capture.
Every IP is an separate entry on Virtual IPs tab - this seems to be correct for another subnet we have with different provider.What else could I try checking?