Another multiple WAN -> 1:1 NAT still unstable



  • Hi,
    Reading back a little I see a lot of problems with PFSense boxes with multiple WAN addresses trying to use NAT 1:1. I am having the same problems at the moment. My complete setup is in a cloud environment. The pfsense server has 20 public IP addresses in several subnets. On the other side I have a 192.168.0.0/24 subnet Lan. Every public IP address has its own interface on pfsense and is 1:1 natted to a 192.68.0.x ip address. This is working ok for about 12 IP's but the other ones just won't work. They are configured the same as the working ones, but just don't forward external requests. I have this problem for a while now and was able to do the job with just the working IP's but after rebooting pfsense yesterday evening, one of the working IP's stopped working. This offcourse changes everything, because I have production servers behind the firewall.
    Is there a way to debug this problem or a stable workaround I can try?
    pfsense 2.3.3-RELEASE (amd64)

    Thanks,

    Roger



  • debugging would be performed by doing packet captures (tcpdump) on the external AND internal interfaces to ensure traffic is being passed.

    From there you can start narrowing down what the issue is. If youre seeing traffic being passed through, then pfsense isn't the cause of the issue. If traffic ISNT passing, start by double checking your NAT and firewall rules.



  • Thanks IsolatedVirus,

    Sorry for the late response.
    I just did a tcpdump on the lan and the interface with these results:

    09:17:08.503468 IP 541C4274.cm-5-xx.dynamic.ziggo.nl.62472 > 192.168.0.34.ssh: Flags ~~, seq 2977635328, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    09:17:11.505765 IP 541C4274.cm-5-xx.dynamic.ziggo.nl.62472 > 192.168.0.34.ssh: Flags ~~, seq 2977635328, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    09:17:17.502731 IP 541C4274.cm-5-xx.dynamic.ziggo.nl.62472 > 192.168.0.34.ssh: Flags ~~, seq 2977635328, win 8192, options [mss 1460,nop,nop,sackOK], length 0

    to compare I did the same on a working interface and got this:

    09:27:10.205921 IP 541C4274.cm-5-xx.dynamic.ziggo.nl.62633 > 192.168.0.15.ssh: Flags ~~, seq 13237633, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    09:27:10.206482 IP 192.168.0.15.ssh > 541C4274.cm-5-xx.dynamic.ziggo.nl.62633: Flags [S.], seq 1981900857, ack 13237634, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 9], length 0
    09:27:10.217913 IP 541C4274.cm-5-xx.dynamic.ziggo.nl.62633 > 192.168.0.15.ssh: Flags [.], ack 1, win 256, length 0
    09:27:10.217948 IP 541C4274.cm-5-xx.dynamic.ziggo.nl.62633 > 192.168.0.15.ssh: Flags [P.], seq 1:29, ack 1, win 256, length 28
    09:27:10.218391 IP 192.168.0.15.ssh > 541C4274.cm-5-xx.dynamic.ziggo.nl.62633: Flags [.], ack 29, win 58, length 0
    09:27:10.224374 IP 192.168.0.15.ssh > 541C4274.cm-5-xx.dynamic.ziggo.nl.62633: Flags [P.], seq 1:40, ack 29, win 58, length 39
    09:27:10.236039 IP 541C4274.cm-5-xx.dynamic.ziggo.nl.62633 > 192.168.0.15.ssh: Flags [P.], seq 29:701, ack 40, win 256, length 672
    09:27:10.236493 IP 192.168.0.15.ssh > 541C4274.cm-5-xx.dynamic.ziggo.nl.62633: Flags [P.], seq 40:992, ack 701, win 60, length 952
    09:27:10.248046 IP 541C4274.cm-5-xx.dynamic.ziggo.nl.62633 > 192.168.0.15.ssh: Flags [P.], seq 701:725, ack 992, win 252, length 24
    09:27:10.252737 IP 192.168.0.15.ssh > 541C4274.cm-5-xx.dynamic.ziggo.nl.62633: Flags [P.], seq 992:1528, ack 725, win 60, length 536
    09:27:10.315680 IP 541C4274.cm-5-xx.dynamic.ziggo.nl.62633 > 192.168.0.15.ssh: Flags [.], ack 1528, win 256, length 0
    09:27:10.374259 IP 541C4274.cm-5-xx.dynamic.ziggo.nl.62633 > 192.168.0.15.ssh: Flags [P.], seq 725:1253, ack 1528, win 256, length 528
    09:27:10.392911 IP 192.168.0.15.ssh > 541C4274.cm-5-xx.dynamic.ziggo.nl.62633: Flags [P.], seq 1528:2632, ack 1253, win 63, length 1104
    09:27:10.455984 IP 541C4274.cm-5-xx.dynamic.ziggo.nl.62633 > 192.168.0.15.ssh: Flags [.], ack 2632, win 252, length 0
    09:27:10.515713 IP 541C4274.cm-5-xx.dynamic.ziggo.nl.62633 > 192.168.0.15.ssh: Flags [P.], seq 1253:1269, ack 2632, win 252, length 16
    09:27:10.515742 IP 541C4274.cm-5-xx.dynamic.ziggo.nl.62633 > 192.168.0.15.ssh: Flags [P.], seq 1269:1333, ack 2632, win 252, length 64
    09:27:10.516165 IP 192.168.0.15.ssh > 541C4274.cm-5-xx.dynamic.ziggo.nl.62633: Flags [.], ack 1333, win 63, length 0
    09:27:10.516276 IP 192.168.0.15.ssh > 541C4274.cm-5-xx.dynamic.ziggo.nl.62633: Flags [P.], seq 2632:2696, ack 1333, win 63, length 64
    09:27:10.577859 IP 541C4274.cm-5-xx.dynamic.ziggo.nl.62633 > 192.168.0.15.ssh: Flags [.], ack 2696, win 252, length 0

    Seems nat is not working properly.~~~~~~~~



  • should the client be responding to traffic across both WAN's?

    it appears this question might be partially addressed by an older forum post:
    https://forum.pfsense.org/index.php?topic=5213.0

    have you tried using port forwards instead of 1:1 nat?



  • I have several WAN interfaces (8 at the moment) and it should listen on just 1 interface. I'll try disabling NAT 1:1 for this interface and do portforwarding. Otherway around it is working fine; I can reach the internet from the local server, but it is still strange NAT 1:1 works fine for 7 interfaces but not for number 8.

    Thanks,
    Roger


Log in to reply