CORRECTED: Odd NAT Timeout issue

wallacebw · Sep 28, 2008, 7:18 PM

All:

I am atempting to use nat and having issues that I have never seen before (I use pfsense to nat 'wan to lan' on other equipment without issue).

The issue is odd. I setup a nat for MS RDP with automatic firewall rules and can connect fine; however, just about as soon as I log-in it freezes and times out. ok… MS RDP... lets try something else. I set up a nat for ssh to a diferent physical host... works fine for 30 seconds and then freezes while 'top' is running...

I can reconnect to these nats and reproduce this issue every time. Additionally, I can use RDP and SSH services without issue if the PFSense box is not in the picture.

Additionally, the internet does not come into play as the 'wan' nic is plugged into a switch with a static ip on a different subnet.

I am using an HP DL360 G3 server with ACPI disabled. The only thing that is odd about this setup is that I have three interfaces on two NICS

LAN: BGE0
WAN: BGE1
DMZ: BGE0 - vlan ID 123.

The target for the NAT is on the 'LAN' sunbet
None of the subnets overlap or otherwise conflict.
NAT Reflection is off.

I apologize if this has been answered elsewhere... I searched and didn't find anything.

Any thoughts?

Thanks,
Brian

wallacebw · Sep 26, 2008, 10:59 PM

I forgot… PFSENSE 1.2-RELEASE is the version (Installed to hard disk)

GruensFroeschli · Sep 26, 2008, 11:00 PM

Dont mix VLAN tagged traffic with normal traffic on the same interface.
This can lead to what you describe. (Stuff gets mixed up while resolving ARP)
Since you're already using a VLAN capable switch:
Try setting something like this up:

WAN: BGE1
LAN: BGE0 - vlan ID 456
DMZ: BGE0 - vlan ID 123.

wallacebw · Sep 27, 2008, 12:09 AM

Ok… Tried that

LAN = BGE0 - VLAN 2
WAN = BGE1
DMZ = BGE0 - VLAN123

same results (yes, I rebooted).

wallacebw · Sep 27, 2008, 1:23 AM

I'm not near the equipment now, but I thought of something… my setup looks like the following:


HOST connecting to nat
        |
        |
        \/
'WAN subnet'
         |
         |
         \/
     PFSENSE #1
       -- lan subnet 10.1.0.0 / 16 (used as isolated management segment) bge0 vlan2
       -- wan sunbet x.x.x.x / 23  (registered address space) bge 1
       -- opt1 (DMZ SEGMENT) 10.240.0.0 / 16 (bge0 vlan 240)
        |
        |
        \/
DMZ switch (vlan capable)
        |
        |
        \/
     PFSENSE #2
       -- lan subnet 10.1.0.0 / 16 (used as isolated management segment) BGE0
       -- wan subnet 10.240.0.0 / 16  (to dmz) (vlan 240) bge1
       -- opt1 (DMZ SEGMENT) 10.xxx.0.0 / 16 (vlan xxx) bge1
       -- opt2 (DMZ SEGMENT) 10.xxx.0.0 / 16 (vlan xxx) bge1
       -- opt3 (DMZ SEGMENT) 10.xxx.0.0 / 16 (vlan xxx) bge1
       -- optn (DMZ SEGMENT) 10.xxx.0.0 / 16 (vlan xxx) bge1

I have disabled all natting on PFSense #2

I have enabled advanced outbound nat on PFsense #1 to Nat 10.0.0.0 / 8 to the WAN Address

Additionally, I added a static route on PFSense #1 to route 10.0.0.0 / 8 to the WAN IP of PFSense #2 via opt1. I am assuming that the 10.0.0.0 / 8 route will not override locally attached subnets… is that correct?

I hope that this helps... I will try removing the static route (which eliminates everything except networks attached to PFsense #1 and retest, but I'm not optimistic.

Brian

wallacebw · Sep 28, 2008, 7:17 PM

OK… I'm a moron...

I looked a little closer and realized that the servers that I was attempting to connect to using a NAT defined on PFSense1 had PFSense2 defined as the gateway (both have IPs on the same subnet). (that may cause some arp issues). Given the fact that the inbound and outbound traffic is taking different paths and ending up on different interfaces on the PFSense box providing NATing services, I'm surprised that the SYN/ACK was ever received and that the session established.

I additionally corrected the Static Routes to NOT include any locally attached subnets.

After taking these two steps, the NATs work as expected.

Brian