1 to 1 NAT Forwarding Problem After Upgrading to 21.02-p1 on SG-5100
-
After upgrading an SG-5100 to 21.02-p1, 1 to 1 NAT no longer works on the secondary WAN (WAN1), but does on the primary WAN (WAN0). The strange thing is that my firewall logs show pfSense blocking outbound traffic with the source being my WAN1 (VIP) address using the default deny rule:
However, my firewall rule looks like this:
How can the default deny rule block something I specifically allow? Packet captures show packets coming into my server and the server responding, but they never make it out of the WAN1 port. So I guess the issue is that pfSense is somehow blocking packets coming out of a port, which I thought it never did. I have always understood firewall rules to only apply to packets coming into a port.
Thanks in advance for any replies.
-
I've the same problem after upgrading to 21.02-p1 in a Netgate XG-7100
Could you resolve it?
-
@iroal Not yet. I rolled it back and it is working again. I'm going to try again when time permits.
-
@iroal The latest update to 21.02.2 seems to have fixed the port forwarding issue, so that might be something to try. Here's the bug fix link.
I still have an issue with outbound packets going out the wrong WAN port though. I suspect that was what was happening all along now. Packets would come in WAN1 and be returned out WAN0 so it looked like they were being blocked by the firewall, but really they were just lost because I was looking in the wrong spot for them. I haven't figured out how to fix that yet.