NAT not working. Probably a weird setup, but it *should* work, right?



  • Hi all,

    For simplicity's sake, we're using 1 pfsense box at the moment and will be adding in a second once we get NAT and everything else working.

    pfSense is hosted in Softlayer's DAL10 datacenter. Other servers are located in Softlayer's DAL09 datacenter. pfsense and the other servers are able to communicate over the Softlayer private network perfectly fine due to VLAN Spanning. We are announcing a network block (let's call it 172.16.0.0/24 - not the actual range, the real address range is publicly routable) using OpenBGPD to Softlayer using a private ASN. BGP works fine - a traceroute to an address in the block makes it to our pfsense server just fine.

    The pfsense box has 2 sets of 2 interfaces bonded via LACP - one for WAN, one for LAN - all of which is working fine.
    pfsense WAN: 192.168.0.145 (actually a public address, changed to protect the guilty)
    pfsense LAN: 10.177.76.134

    We have added the 172.16.0.0/24 address in pfsense as "Other IP" on the WAN, and then configured 1:1 NAT for 172.16.0.5 to 10.143.45.238 (on a separate VLAN from the pfsense LAN, but still able to communicate with the address due to VLAN spanning). No matter what combination of options we use, incoming traffic to 172.16.0.5 does not get passed to 10.143.45.238. For testing purposes, we have a Zabbix agent running on 10.143.45.238, and pfsense is also running a Zabbix agent. The Zabbix server is entirely outside of the Softlayer network, so we do not believe that it had anything to do with NAT Reflection. We have tried various combinations of settings on the 1:1 NAT with the following results:

    1:1 NAT
    "No BINAT" checked, NAT Reflection enabled: pfsense server itself responds to pings to 172.16.0.5, pfsense server responds to Zabbix agent connections. Nothing goes to 10.143.45.238, confirmed via packet dump.
    "No BINAT" checked, NAT Reflection enabled: pfsense server itself responds to pings to 172.16.0.5, pfsense server responds to Zabbix agent connections. Nothing goes to 10.143.45.238, confirmed via packet dump.
    "No BINAT" unchecked, NAT Reflection enabled: No ping reply, no Zabbix agent response. pfSense sends port 10050 Zabbix traffic to 10.143.45.238 but 10.143.45.238 does not receive it, confirmed via packet dump.
    "No BINAT" unchecked, NAT Reflection disabled: No ping reply, no Zabbix agent response. pfSense sends port 10050 Zabbix traffic to 10.143.45.238 but 10.143.45.238 does not receive it, confirmed via packet dump.

    We see the same behavior if we add the IP as an IP Alias on the WAN interface instead of "Other IP".

    Firewall rules are set to allow all IPv4 on all interfaces, and disabled completely on 10.143.45.238

    Does anyone have any ideas what could be going on?


  • Netgate

    First, you must realize that "VLAN Spanning" is apparently something done only at SoftLayer and likely nobody knows WTH you are talking about there. I had to google it.

    It looks like it bridges all "Spanned" VLANs into one broadcast domain. If that is the case it should probably be treated as such.

    You might need to diagram your network, with these unique SoftLayer-only features clearly defined.

    The No BINAT checkbox there means EXCLUDE this address from 1:1 NAT. Very likely not what you want.

    pfSense sends port 10050 Zabbix traffic to 10.143.45.238 but 10.143.45.238 does not receive it, confirmed via packet dump.

    That sounds like a question for whomever is supposed to be delivering the packet once it is sent out the proper interface.