NAT 1:1 on 2.1-RELEASE issue
-
Hello,
upgrading to 2.1-RELEASE from 2.1-RC1 I got the following issue
NAT 1:1 does not work properly:-
If I try to connect to my nated DMZ mailserver from an host on WAN network, nat works;
-
If i try to connect to it from an external address (e.g. my phone) it does not;
I digged some more with packet capture and I found out the following
Packets arrive on WAN interface but they do not on DMZ interface (it seems like they do not traverse the firewall)Moreover if I try to connect to Google (http) from DMZ mailserver I can see
-
request packets exiting from NATED ADDRESS (of WAN virtual IP)
-
asnwer packets entering to NATED ADDRESS (of WAN virtual IP)
but I can not see they (answer packets) on DMZ interface
Hence routing is Ok, but something goes wrong with nat 1:1 and/or fw traversal from "internet addresses".
Here is my nat conf (I use manual outbound NAT rules)Any idea?
Thank you in advance
![Virutal IP.JPG](/public/imported_attachments/1/Virutal IP.JPG)
![Virutal IP.JPG_thumb](/public/imported_attachments/1/Virutal IP.JPG_thumb)
![NAT 1-1.JPG](/public/imported_attachments/1/NAT 1-1.JPG)
![NAT 1-1.JPG_thumb](/public/imported_attachments/1/NAT 1-1.JPG_thumb)
![Outbound 2.1.JPG](/public/imported_attachments/1/Outbound 2.1.JPG)
![Outbound 2.1.JPG_thumb](/public/imported_attachments/1/Outbound 2.1.JPG_thumb) -
-
Moreover if I try to connect to Google (http) from DMZ mailserver I can see
-
request packets exiting from NATED ADDRESS (of WAN virtual IP)
-
asnwer packets entering to NATED ADDRESS (of WAN virtual IP)
but I can not see they (answer packets) on DMZ interface
This is what I mean: my dmz mailserver seems to get nated outside but not inside.
Packet captures of an connection attempt to google:ON DSL interface:
16:42:21.236894 IP XX.YY.ZZZ.245.1634 > 173.194.35.23.80: tcp 0
16:42:21.267025 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1634: tcp 0
16:42:21.487296 IP XX.YY.ZZZ.245.1635 > 173.194.35.23.80: tcp 0
16:42:21.517592 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1635: tcp 0
16:42:21.588509 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1634: tcp 0
16:42:21.828523 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1635: tcp 0
16:42:22.188522 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1634: tcp 0
16:42:22.428460 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1635: tcp 0
16:42:23.388629 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1634: tcp 0
16:42:23.628438 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1635: tcp 0
16:42:24.213257 IP XX.YY.ZZZ.245.1634 > 173.194.35.23.80: tcp 0
16:42:24.242951 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1634: tcp 0
16:42:24.414444 IP XX.YY.ZZZ.245.1635 > 173.194.35.23.80: tcp 0
16:42:24.443562 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1635: tcp 0
16:42:25.790529 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1634: tcp 0
16:42:26.028500 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1635: tcp 0
16:42:29.884252 IP XX.YY.ZZZ.245.1636 > 173.194.35.23.80: tcp 0
16:42:29.914162 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1636: tcp 0ON DMZ interface
16:43:24.180029 IP 10.6.107.2.1645 > 173.194.35.23.80: tcp 0
16:43:24.265809 IP 10.6.107.2.1646 > 173.194.35.23.80: tcp 0
16:43:24.430940 IP 10.6.107.2.1647 > 173.194.35.23.80: tcp 0
16:43:24.475723 IP 10.6.107.2.1648 > 173.194.35.23.80: tcp 0
16:43:24.518007 IP 10.6.107.2.1649 > 173.194.35.23.80: tcp 0
16:43:27.180431 IP 10.6.107.2.1645 > 173.194.35.23.80: tcp 0
16:43:27.281005 IP 10.6.107.2.1646 > 173.194.35.23.80: tcp 0
16:43:27.381596 IP 10.6.107.2.1647 > 173.194.35.23.80: tcp 0
16:43:27.482185 IP 10.6.107.2.1648 > 173.194.35.23.80: tcp 0
16:43:27.482214 IP 10.6.107.2.1649 > 173.194.35.23.80: tcp 010.6.107.2 is Mailserver IP in DMZ
XX.YY.ZZZ.245 is virtual public IP (nated) on DSL interface
173.194.35.23 is google -
-
[UPDATE]
Today I have tested NAT 1:1 on a fresh test (i.e. built from scratch, with just essential things) ( 2.1-RELEASE installation…No problems arose! :-[
Hence I have begun to search the problem elsewhere...
So, I went back to test pfsense "production config" and I disabled
1.Manual outbound NAT: no results2.LAN failvorer: no results
3.default gateway switching:OK!!!!!!!!!!!!!!!! NAT 1:1 works from internet also!!!
Moreover... I reverted (with config history) to "original" config (before disabling outbound NAT) and now it's still working :o :o :o :o :o :o
Really a big "mystery"