CORRECTED: Odd NAT Timeout issue
-
All:
I am atempting to use nat and having issues that I have never seen before (I use pfsense to nat 'wan to lan' on other equipment without issue).
The issue is odd. I setup a nat for MS RDP with automatic firewall rules and can connect fine; however, just about as soon as I log-in it freezes and times out. ok… MS RDP... lets try something else. I set up a nat for ssh to a diferent physical host... works fine for 30 seconds and then freezes while 'top' is running...
I can reconnect to these nats and reproduce this issue every time. Additionally, I can use RDP and SSH services without issue if the PFSense box is not in the picture.
Additionally, the internet does not come into play as the 'wan' nic is plugged into a switch with a static ip on a different subnet.
I am using an HP DL360 G3 server with ACPI disabled. The only thing that is odd about this setup is that I have three interfaces on two NICS
LAN: BGE0
WAN: BGE1
DMZ: BGE0 - vlan ID 123.The target for the NAT is on the 'LAN' sunbet
None of the subnets overlap or otherwise conflict.
NAT Reflection is off.I apologize if this has been answered elsewhere... I searched and didn't find anything.
Any thoughts?
Thanks,
Brian -
I forgot… PFSENSE 1.2-RELEASE is the version (Installed to hard disk)
-
Dont mix VLAN tagged traffic with normal traffic on the same interface.
This can lead to what you describe. (Stuff gets mixed up while resolving ARP)
Since you're already using a VLAN capable switch:
Try setting something like this up:WAN: BGE1
LAN: BGE0 - vlan ID 456
DMZ: BGE0 - vlan ID 123. -
Ok… Tried that
LAN = BGE0 - VLAN 2
WAN = BGE1
DMZ = BGE0 - VLAN123same results (yes, I rebooted).
-
I'm not near the equipment now, but I thought of something… my setup looks like the following:
HOST connecting to nat | | \/ 'WAN subnet' | | \/ PFSENSE #1 -- lan subnet 10.1.0.0 / 16 (used as isolated management segment) bge0 vlan2 -- wan sunbet x.x.x.x / 23 (registered address space) bge 1 -- opt1 (DMZ SEGMENT) 10.240.0.0 / 16 (bge0 vlan 240) | | \/ DMZ switch (vlan capable) | | \/ PFSENSE #2 -- lan subnet 10.1.0.0 / 16 (used as isolated management segment) BGE0 -- wan subnet 10.240.0.0 / 16 (to dmz) (vlan 240) bge1 -- opt1 (DMZ SEGMENT) 10.xxx.0.0 / 16 (vlan xxx) bge1 -- opt2 (DMZ SEGMENT) 10.xxx.0.0 / 16 (vlan xxx) bge1 -- opt3 (DMZ SEGMENT) 10.xxx.0.0 / 16 (vlan xxx) bge1 -- optn (DMZ SEGMENT) 10.xxx.0.0 / 16 (vlan xxx) bge1I have disabled all natting on PFSense #2
I have enabled advanced outbound nat on PFsense #1 to Nat 10.0.0.0 / 8 to the WAN Address
Additionally, I added a static route on PFSense #1 to route 10.0.0.0 / 8 to the WAN IP of PFSense #2 via opt1. I am assuming that the 10.0.0.0 / 8 route will not override locally attached subnets… is that correct?
I hope that this helps... I will try removing the static route (which eliminates everything except networks attached to PFsense #1 and retest, but I'm not optimistic.
Brian
-
OK… I'm a moron...
I looked a little closer and realized that the servers that I was attempting to connect to using a NAT defined on PFSense1 had PFSense2 defined as the gateway (both have IPs on the same subnet). (that may cause some arp issues). Given the fact that the inbound and outbound traffic is taking different paths and ending up on different interfaces on the PFSense box providing NATing services, I'm surprised that the SYN/ACK was ever received and that the session established.
I additionally corrected the Static Routes to NOT include any locally attached subnets.
After taking these two steps, the NATs work as expected.
Brian
