Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port forward reply NAT not working.

    Scheduled Pinned Locked Moved NAT
    11 Posts 3 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Aubete
      last edited by

      Hi!

      First: sorry my english.

      i'm search the forum, but not success.

      I'm use Pfsense 2.2.6-Relase and create a port forwarding rule :

      –------> DROTTALAN UDP * * DROTTALAN address 20000 192.168.5.253 20000 portforward

      The 5.253 is a pfsense with an openvpn server on port 20000

      The linked rule exists:

      ---------> IPv4 UDP * * 192.168.5.253 20000 * none NAT portforward

      It's working until last week. But now:

      States:

      DROTTALAN udp 192.168.5.253:20000 (192.168.253.1:20000) <- 192.168.253.236:20000 MULTIPLE:MULTIPLE
      INFORMATIKA udp 192.168.253.236:20000 -> 192.168.5.253:20000 MULTIPLE:MULTIPLE

      Tcpdump:

      11:34:37.345780 IP 192.168.253.236.20000 > 192.168.253.1.20000: UDP, length 42
      11:34:37.354342 IP 192.168.5.253.20000 > 192.168.253.236.20000: UDP, length 54

      So the target is 253.1 the reply came from 5.253

      The pfsense not translating the reply's IP address. Why?

      Thanks the advance.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        so you have 2 pfsense, 1 behind the other.. Your forward shows its suppose to go to 5.253  Why are  you seeing tcp dump to .1 ?

        So your downstream pfsense is natting as well..  How do you get to 192.168.5 when it seems your on 192.168.253

        I would suggest you draw up your network..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • A
          Aubete
          last edited by

          @johnpoz:

          so you have 2 pfsense, 1 behind the other.. Your forward shows its suppose to go to 5.253  Why are  you seeing tcp dump to .1 ?

          So your downstream pfsense is natting as well..  How do you get to 192.168.5 when it seems your on 192.168.253

          I would suggest you draw up your network..

          Thanks the response.

          A schematics…

          dedicated
          vpn clients --- internet --- pfsense 5.253 ---- 5.254 pfsense 253.1 ---- MAN --- vpn clients
                                                                                    |
                                                                                    |
                                                                                internet

          The 5.253 pfsense a Dedicated VPN server with own dedicated internet. But we have a MAN network, (wifi network with multiple sites) that sites have vpns to 5.253. The main pfsense have standard internet to browsing and other "normal internet stuff" from the MAN need to access "normal" internet, and the dedicated pfsense. so need to port forward.

          The MAN is not "ours" then the routing and firewalling, is not adjustable for me. only the 253 network is routed.

          So a client from 253.236 send a packet to 253.1 the 253.1 portforward the packet to 5.253. the 5.253 answer this packet, and send to 253.1 then 253.1 send to 253.236 but the source address is 5.253.

          the 253 network not routing only the 253 network. so the 253.236 not reach 5.253, only 253.1.

          Maybe this clear the situlation.

          A some time ago have an another weird thing on main pfsense (that not natting now) the other vpn configs changed. (not by admin) the client's setup page's advanced box containment moved to server's advanced box. but this is an another story...

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            so your downstream is not natting?  Where you move from rfc1918 to public is where you would need to nat, downstream stuff that is all rfc1918 does not have to nat.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • A
              Aubete
              last edited by

              Hi!

              Thanks to reply.

              So this is a new stuff in PfSense? This thing working almost a year. Last week happen something that cause some trubles.

              1, the openvpn configs broken,
              2, The 20000 port not nattig,
              3, the vlans working weird (but this is maybe a switch related problem)

              What changed?

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Did you make changes, upgrade, or anything?

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • A
                  Aubete
                  last edited by

                  Hi!

                  Thanks to answer!

                  No, only happen an unexpected blackout. But the rfc' s IMHO not an explanation. If i have an Internet connection to a router that have an internal network adress to internal interface. If i have more than one… So the natting can work with internal adresses. My linux routers manage that without any problem.

                  i try:

                  Delete, and readd rule.
                  Restart server.
                  natting other machines on route.

                  Not working. i don't understand, why. The other port forwardings work. example: the 253.1 -> 127.0.0.1 is working (this is needed to multi input vpn) that interface is an Internet interface too but we not use this function.

                  1 Reply Last reply Reply Quote 0
                  • A
                    Aubete
                    last edited by

                    @Aubete:

                    Hi!

                    Thanks to answer!

                    No, only happen an unexpected blackout. But the rfc' s IMHO not an explanation. If i have an Internet connection to a router that have an internal network adress to internal interface. If i have more than one… So the natting can work with internal adresses. My linux routers manage that without any problem.

                    i try:

                    Delete, and readd rule.
                    Restart server.
                    natting other machines on route.

                    Not working. i don't understand, why. The other port forwardings work. example: the 253.1 -> 127.0.0.1 is working (this is needed to multi input vpn) that interface is an Internet interface too but we not use this function.

                    I try to explain the structure. See attached image. (fast work.. )

                    ![vpn explanation.jpg_thumb](/public/imported_attachments/1/vpn explanation.jpg_thumb)
                    ![vpn explanation.jpg](/public/imported_attachments/1/vpn explanation.jpg)

                    1 Reply Last reply Reply Quote 0
                    • A
                      Aubete
                      last edited by

                      Bump!

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        I don't know if it's the language barrier or too much information in the diagram but I can't get a handle on what is or is not working. Nor do I understand why NAT is involved on the inside at all.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • A
                          Aubete
                          last edited by

                          Hi!

                          Thanks the answer.

                          So.. I ty again…

                          Two type of sites are. One is DSL line they connected via public internet acces to vpn servers. The second is connect via Middle Aera Network (multi sites connected via wlan) to vpn servers.

                          first pf-sense handle the database connection from sites. the second pf-sense handle the file related connections from sites. the first pf-sense have 2 internet connection, a MAN connection and several internal lan connection. The second pf-sense have a very fast internet connection, a connection to first pf sense and a connection to file servers.

                          The MAN sites can't connect the internet only tough the first pf-sense.

                          all sites must be connected both of PfSense. but the MAN sites can it only trough the first PfSense (that hande the MAN network).

                          so the MAN network can't routing the second pf-sense's network, so the MAN sites can't reach them.

                          Therefore the VPNs destination is the first PfSense's MAN interface. the first PfSense forwarding the port to second PfSense.

                          The problem is, the second PfSense's response to MAN sites go trough the first PfSense but the first PfSense not translate the output packet source address to MAN interface's IP adress.

                          The packet go trough the first PfS and go to a network than can't handle the second PfS IP address. therefore the MAN sites can't build the VPN connection.

                          The diagram only the structure not showing the problem.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.