Binat to LAN interface from WAN



  • Hi,

    I have a weird problem since upgrading from 2.2.6 to 2.3. The rules have not changed so I suspect a problem that's been introduced. I will explain my setup with anonymized IP's to protect the innocent (i.e. me) :)

    • I have 4 static IP addresses that I can freely assign and one static IP address for the WAN interface. These are:
        - A.B.C.A, A.B.C.B, A.B.C.C, A.B.C.D and for the WAN interface A.B.X.Y

    • The WAN interface is pppoe0 and it has A.B.X.Y IP address configured.

    • On the internal LAN I use 192.168.1.0/24 network.

    • The LAN interface of pfsense uses 192.168.1.1

    • The 4 static IP addresses I have configured as virtual IP's on pfsense.

    • I use 1:1 NAT mappings for those 4 addresses.

    • The 1:1 mappings to any host on the 192.168.1.0/24 subnets work perfectly.

    … HOWEVER there's a 1:1 NAT mapping from A.B.C.D to 192.168.1.1 (the LAN interface of pfsense). For incoming traffic it gets properly mapped to 192.168.1.1 however the outgoing packets don't map back to A.B.C.D which results in the responses coming from 192.168.1.1 to the pppoe0 interface (I verified this with tcpdump/wireshark).

    Hence trying to reach the pfsense box from the internet doesn't work unless I use the static WAN interface IP.

    I fixed my use-case in no longer using the LAN interface, however given that this worked in 2.2.6 I still believe that in theory this should work.

    regards,
    Cybertoy



  • Hi Cybertoys.

    I have the same problem like you.
    I tried to  Nat my static IP(virtual IP, With 1:1) to internal LAN adresse, use for Avaya visioconferencing.
    But the avaya reply to the LAN adress of the green interface, not to the Virtual IP.
    Have you find a solution ?

    Regards,
    Renaud



  • I simply started to use the WAN interface IP so worked around the problem. I believe it still exists though and frankly still believe it's a bug somewhere.

    ciao,
    Cybertoy



  • thanks for your answer.
    But, i need more than one IP adress, that's what i have tu use virtual IP …
    nerver mind ...

    Renaud