NAT not working on other IPs in my block
-
Netgate SG-2100 21.02.2
Public IP block /29 and interface configured as such. All outgoing works and incoming port forwards work but only on the primary IP, not any of the others in my block. I tried setting NAT Destination to "WAN net" and to another IP in my block but neither option works. Setting it to the primary IP makes it work immediately without any other configuration. Literally changing ONE digit. I checked firewall logs and it doesn't show attempts on the other IPs in my block, only on the main one. Almost as if it wasn't forwarded to me by the ISP router. -
@peterlecki said in NAT not working on other IPs in my block:
Almost as if it wasn't forwarded to me by the ISP router.
Maybe that's the case.
Packet capture to see if the ISP is actually sending the traffic to you. If not, pfSense can't forward it.
-
@derelict said in NAT not working on other IPs in my block:
Maybe that's the case.
Packet capture to see if the ISP is actually sending the traffic to you. If not, pfSense can't forward it.
That was indeed the case, resolved now. I thought it was them not sending it period, but it turns out my WAN interface wasn't responding to ARP requests for the additional IPs, that's why those packets weren't forwarded to me. Even though the interface was assigned the whole block, it would only respond on one IP. ARP responding on the others wasn't happening until I manually configured Virtual IPs. I have not ran across this in any other firewall brand I worked on. In my opinion if the interface is given a whole block, it should ARP on all IPs within that block.
-
@peterlecki The interface was not given the whole block. It was given one interface IP address and a subnet mask.
It is up to the administrator to assign IP addresses if it wants the firewall to respond to ARP requests. In many cases it is desirable to not respond to ARP there, especially when using routed subnets.
