Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Incoming traffic to 1:1 NAT targets get's confused once in a great while

    Scheduled Pinned Locked Moved NAT
    3 Posts 2 Posters 748 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rnmixon
      last edited by

      Our pfSense firewall is at version 2.3.4.  We have a Cox broadband connection with the standard static IP plus a CIDR block of 16 "/28" addresses.

      For each address we are using in the CIDR block (9 of the 16) we have both a virtual IP and a 1:1 NAT entry.

      We then define regular NAT port forwarding, just for the ports we have external services listening on.

      For almost three years this has been working fine. But in the last six months we are seeing a request to one of the virtual IPs return a response from a server that is assigned to a different virtual IP.

      The problem only happens every two or three weeks, usually just a handful of times. We've been able to capture the request/responses in using the browser's web control panel and then look in the server logs  to see the response being returned.

      We've re-reviewed our rules and they seem right. We've also got logging turned on for the corresponding firewall rules, but that does not really help much.

      Does anyone have any idea on how we might isolate the problem or what the problem might be?

      Thank you much - Richard

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        So you have 1:1 NAT and then port forwards defined on top with the same destinations? That isn't necessary. You only need 1:1 NAT + Firewall rules.

        Port forwards take precedence over 1:1 NAT on the inbound traffic, so your 1:1 NAT may be fine, but if something happened to the port forward then it may misbehave.

        Are you using aliases anywhere in the port forwards? Anything special in the destinations?

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • R
          rnmixon
          last edited by

          Jim,
          I am so sorry - I missed your response on this. I know it's been six months, but the problem reared it's head again.

          If I understand correctly, you are saying that the combination of NAT port forwarding and 1:1 NAT to my virtual IP's assigned to the CIDR block "could" be causing the issue when you say this "… if something happened to the port forward then it may misbehave.".

          It's a weird too as often getting the remote user to clear their browser cache causes the problem to go away - but other times it takes a day.

          We had been using NAT port forwarding in conjunction with 1:1 NAT to try and conserve our static IP's  - but it sounds like it might be safer to just do the 1:1 NAT and not port forwards.

          Is there any way to further pin this down? I have correlated Chrome browser network requests, with pfSense firewall logs and the request logs on the two web servers involved.  I can pretty clearly see where the first six requests from the browser are all to the IP address of the first web server, but pfSense shows the sixth request gets NATed to a different server - but of course no rationale for why it did that.

          UPDATE: Yes we are also using aliases a good bit. What type of issues might that cause?

          Thank you again - Richard

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.