Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    'TTL exceeded' - 1:1 NAT'd IPs to IPs on bridge after 2.1 upgrade

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    2 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      Fr3d
      last edited by

      I upgraded from 2.0.x to 2.1-release recently, and almost everything worked fine afterwards… except that I can no longer ping or otherwise communicate from privately-IP'd systems (1:1 NAT'd) with any (public) IPs that are on a bridged interface (DMZ) - I get a 'Time to live exceeded' response from my ISP's gateway IP.

      If I disable the 1:1 NAT so that outgoing traffic sources from pfSense's primary IP, everything works again. (However this is not a long-term solution - I need 1:1 NAT to work.)

      Communications to/from both the 1:1 NAT'd and the bridged systems work just fine from other systems on the internet. I also found that going from bridged to 1:1 NAT'd seems to work fine (i.e. the reverse of my problem).

      I've tried to think of and include all the relevant config bits below;

      Basic Firewall Config:
      ISP's gateway = 78.129.202.1
      bridge0 = WAN + DMZ
      em0 - WAN - 78.129.202.212 /24
      em4 - DMZ
      em2 - LAN - 10.0.0.1 /24

      Ping/traceroute from a 1:1 NAT'd system to a system on/behind bridge0:

      root@yoda.fr3d.org:~ # ping 78.129.202.211
PING 78.129.202.211 (78.129.202.211) 56(84) bytes of data.
From 78.129.202.1 icmp_seq=1 Time to live exceeded
From 78.129.202.1 icmp_seq=2 Time to live exceeded

--- 78.129.202.211 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 999ms
root@yoda.fr3d.org:~ # tracert 78.129.202.211
traceroute to 78.129.202.211 (78.129.202.211), 30 hops max, 40 byte packets
 1  han.starwars.local (10.0.0.1)  0.131 ms  0.100 ms  0.087 ms
 2  78.129.202.1 (78.129.202.1)  1.765 ms  1.738 ms  1.728 ms
 3  78.129.202.1 (78.129.202.1)  1.719 ms  1.821 ms  1.809 ms
 4  78.129.202.1 (78.129.202.1)  2.514 ms  1.643 ms  1.742 ms
<traceroute continues="" to="" hop="" #30,="" and="" then="" stops=""></traceroute>

      1:1 NAT:
      Yoda - 10.0.0.10 <-> 78.129.202.213 (Proxy ARP Virtual IP on WAN/em0)
      (All ports/destinations, no other special configuration directives).

      (Advanced) Outbound NAT:
      There is a default rule for all non-1:1 systems to source from pfSense's primary IP

      Advanced Settings -> NAT reflection:
      Enabled (NAT + Proxy)
      (I have tried changing this to the other two options, to no avail.)

      Port Forwards:
      None configured.

      Firewall rules:
      LAN: Allow all rule
      DMZ: Allow all rule
      WAN: Allow all from 1:1 NAT'd IPs -> any destination

      Anyone got any ideas?

      Thanks in advance :)

      1 Reply Last reply Reply Quote 0
      • B
        barnaba
        last edited by

        Hi,

        i can confirm this problem, i also had this when upgrading to 2.1.
        There seems to be one urgent bug inside of pfsense 2.1 regarding this.
        i tried all configurations to fix this also to change some kernel parameter but nothing seemed to help, only to downgrade back to 2.01!

        i could notice thate the outbound settings couldn´t configure /32 subnet but only bigger subnets that would result in confusing when finding the correct outbound ip in case you have multiple ips but need to set outbound for every ip (/32) in my opinion.

        kind regards,
        barnaba

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.