1:1 NAT Issue



  • Hello pfsense community, been having an issue with the firewall that I can't seem to figure out.  I'm trying to assign a separate public IP address to a server behind my firewall.  I've read through several guides like this one: https://forum.pfsense.org/index.php?topic=102363.0 but I keep running into the same issue.

    The problem is that once I setup the separate IP address and assign it to my computer (for testing I've tried this PC and a few others) I can connect, but have horrible lag/packet loss.  Pinging google shows several timeouts and several successful pings, seems to be random.  I'm at a loss.

    What I've done:

    Created a new virtual IP, tried both IP Alias and Proxy ARP as the new public IP
    Created a new NAT 1:1 rule, external subnet IP set to public IP, internal IP set to my PC as single host IP address, destination set to any
    Created a new firewall rule as Pass with protocal as any

    Is there something I'm missing?  Thanks in advance, I appreciate any help I can get.



  • It is rarely a good idea to use 1:1 NAT IMO.  If you're trying to make a service available, a simple port-forward will usually do.  Use an IP Alias for your VIP.

    https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense

    https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

    https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks



  • @KOM:

    It is rarely a good idea to use 1:1 NAT IMO.  If you're trying to make a service available, a simple port-forward will usually do.  Use an IP Alias for your VIP.

    https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense

    https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

    https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

    Right, I've gotten servers setup with port forwarding before, but was trying to see if I could get a separate public IP to work.  I hit a wall and wanted to see if anyone could point out any glaring errors or if it's some kind of bug with pfsense, because as far as I can tell my current configuration should work but it isn't.


  • Netgate

    What type of WAN connection do you have that allows multiple public IP addresses?

    Are you testing from inside or outside?

    Post the screen shots of your WAN interface, WAN Firewall Alias, 1:1 NAT rule, and corresponding WAN firewall rule.



  • I wish I had a dollar for every person who thought they found a bug in pfSense but it was really a misconfiguration.

    Please post screens of your WAN rules (sanitized of course) and your NAT port-forward, along with network details of the internal server and ports required.


  • Netgate

    some kind of bug with pfsense

    I used to let that bother me. Therapy has helped. ;)



  • @Derelict:

    What type of WAN connection do you have that allows multiple public IP addresses?

    Are you testing from inside or outside?

    Post the screen shots of your WAN interface, WAN Firewall Alias, 1:1 NAT rule, and corresponding WAN firewall rule.

    http://puu.sh/rJ7Fy/b482f4309e.png  ->Public IP 1
    http://puu.sh/rJ81c/eddeb19722.png  ->Public IP 2, I've found different posts that suggest both IP Alias and Proxy ARP, tried both
    http://puu.sh/rJ8tc/266673a949.png  ->Public IP 2, Private IP of PC
    http://puu.sh/rJ8z9/9cf43675df.png    ->Private IP of PC

    @KOM:

    I wish I had a dollar for every person who thought they found a bug in pfSense but it was really a misconfiguration.

    I don't think that it's a bug in pfsense.  I was just explaining that I know this is possible with port forwarding as well, but would like to find out what I'm doing wrong with this setup, because as far as I can tell it should be working, hence why I posted to ask someone else to be kind enough to look at my configuration.  I'm sorry that you seem to have taken offense to my previous post, but I didn't mean anything by it nor was I blaming the software.


  • Netgate

    In the images you posted your 1:1 NAT entry is disabled.



  • @Derelict:

    In the images you posted your 1:1 NAT entry is disabled.

    Right, with it enabled I have horrible packet loss so it's disabled until I try something else to fix it again.



  • with it enabled I have horrible packet loss

    How are you testing and measuring?



  • @KOM:

    with it enabled I have horrible packet loss

    How are you testing and measuring?

    I've tried different speed testing sites, all come in at ~10% of what typical results are.  Pinging any public IP (google for example) will have several successful ping and several timeouts.  Attempting to reach any website takes significantly longer than usual, occasionally failing to load css or images properly.

    Disabling the rule returns functionality back to normal.



  • Weird.  A 1:1 NAT should have no bearing on other outgoing network traffic.  What version of pfSense, and what are you running it on?



  • @KOM:

    Weird.  A 1:1 NAT should have no bearing on other outgoing network traffic.  What version of pfSense, and what are you running it on?

    2.3.2-RELEASE-p1 , had tried updating to see if that was a fix but no luck.  I'm using a supermicro X10SLL-F motherboard, xeon e3-1220 v3 cpu, 8gb ram.


  • Netgate

    Sounds like a problem with the ISP to me. Probably time to packet capture on WAN when it is malfunctioning and see what's really going on there. Make sure all the IP addresses and MAC addresses are doing what they are supposed to be doing.



  • so if I understood correctly,

    WAN–---LAN
      l
      l
      l
    VIP (email server or websites another WAN IP?)

    1. What internet provider do you have and is it fiber or is the WAN DHCP?
    2. if its fiber usually at least where i live lSP gives 5 static IPs which you can configure using VIP and using the 1:1 no issue
    3. if its WAN DHCP then you need another network card because the Modem of the lSP wraps around your MAC and wont let you have 2 IP.  then no need to 1:1 but instead you need to edit the settings on hybrid mode on outbound NAT and add the LAN ip which you want to separate and edit the NAT rules for that IP see pictures







  • Rebel Alliance Global Moderator

    "I wish I had a dollar for every person who thought they found a bug in pfSense but it was really a misconfiguration."

    hehe - if that could only go to help fund pfsense ;)