Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    1:1 NAT not forwarding traffic for one IP address

    Scheduled Pinned Locked Moved NAT
    4 Posts 3 Posters 911 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      travisbrackett
      last edited by

      Hello

      I'm having a strange issue where my 1:1 NAT isn't working for one IP address, but all others are okay.  I've verified that this IP is reachable from the firewall with a ping/traceroute

      I have Snort installed but it is disabled, so I don't believe it's causing the issue.  I shouldn't be able to ping the IP if it's blocked.

      From a working IP address, I can see traffic hitting my WAN interface, followed by the LAN interface as it forwards the traffic to the internal host as expected.

      From the non-working IP address, I see the traffic hitting the WAN interface, but then it's not forwarding out the LAN interface to the internal host.  A packet capture on the internal host confirms that the traffic is not being forwarded.

      I enabled logging on the firewall rule and I can see the translation happening:

      
      clog -f /var/log/filter.log | grep $Bad_IP_Address
      Aug 27 11:25:05 wabe-fw-ext01 pf:     $Bad_IP_Address.52222 > 172.16.16.121.443: Flags [s], cksum 0x775e (correct), seq 4000306878, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
      
      but it's not being forwarded out the LAN interface like one would expect.  The fact that it's working all other IP addresses should rule out all the usual troubleshooting steps for a broken NAT: rules, routes, etc.
      
      Any help would be greatly appreciated![/s]
      
      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        The fact that it's working all other IP addresses should rule out all the usual troubleshooting steps for a broken NAT: rules, routes, etc.

        Why would you say that?  There's obviously something different in your rules somewhere for that IP address.

        Anything in your firewall logs indicating why it's being blocked?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • D
          doktornotor Banned
          last edited by

          People, there's a fine GUI displaying the firewall logs. It also features this X button to show the rule responsible for blocking. Or, you can just configure it in setttings to always show that:

          Stop posting this unreadable raw logs shit.

          1 Reply Last reply Reply Quote 0
          • T
            travisbrackett
            last edited by

            I couldn't get the relevant messages to show up in the GUI.  Turns out it was the Bogon rule blocking the traffic, since it wasn't updating properly.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.