Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Another multiple WAN -> 1:1 NAT still unstable

    NAT
    2
    5
    993
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      Woger last edited by

      Hi,
      Reading back a little I see a lot of problems with PFSense boxes with multiple WAN addresses trying to use NAT 1:1. I am having the same problems at the moment. My complete setup is in a cloud environment. The pfsense server has 20 public IP addresses in several subnets. On the other side I have a 192.168.0.0/24 subnet Lan. Every public IP address has its own interface on pfsense and is 1:1 natted to a 192.68.0.x ip address. This is working ok for about 12 IP's but the other ones just won't work. They are configured the same as the working ones, but just don't forward external requests. I have this problem for a while now and was able to do the job with just the working IP's but after rebooting pfsense yesterday evening, one of the working IP's stopped working. This offcourse changes everything, because I have production servers behind the firewall.
      Is there a way to debug this problem or a stable workaround I can try?
      pfsense 2.3.3-RELEASE (amd64)

      Thanks,

      Roger

      1 Reply Last reply Reply Quote 0
      • I
        isolatedvirus last edited by

        debugging would be performed by doing packet captures (tcpdump) on the external AND internal interfaces to ensure traffic is being passed.

        From there you can start narrowing down what the issue is. If youre seeing traffic being passed through, then pfsense isn't the cause of the issue. If traffic ISNT passing, start by double checking your NAT and firewall rules.

        1 Reply Last reply Reply Quote 0
        • W
          Woger last edited by

          Thanks IsolatedVirus,

          Sorry for the late response.
          I just did a tcpdump on the lan and the interface with these results:

          09:17:08.503468 IP 541C4274.cm-5-xx.dynamic.ziggo.nl.62472 > 192.168.0.34.ssh: Flags ~~, seq 2977635328, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
          09:17:11.505765 IP 541C4274.cm-5-xx.dynamic.ziggo.nl.62472 > 192.168.0.34.ssh: Flags ~~, seq 2977635328, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
          09:17:17.502731 IP 541C4274.cm-5-xx.dynamic.ziggo.nl.62472 > 192.168.0.34.ssh: Flags ~~, seq 2977635328, win 8192, options [mss 1460,nop,nop,sackOK], length 0

          to compare I did the same on a working interface and got this:

          09:27:10.205921 IP 541C4274.cm-5-xx.dynamic.ziggo.nl.62633 > 192.168.0.15.ssh: Flags ~~, seq 13237633, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
          09:27:10.206482 IP 192.168.0.15.ssh > 541C4274.cm-5-xx.dynamic.ziggo.nl.62633: Flags [S.], seq 1981900857, ack 13237634, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 9], length 0
          09:27:10.217913 IP 541C4274.cm-5-xx.dynamic.ziggo.nl.62633 > 192.168.0.15.ssh: Flags [.], ack 1, win 256, length 0
          09:27:10.217948 IP 541C4274.cm-5-xx.dynamic.ziggo.nl.62633 > 192.168.0.15.ssh: Flags [P.], seq 1:29, ack 1, win 256, length 28
          09:27:10.218391 IP 192.168.0.15.ssh > 541C4274.cm-5-xx.dynamic.ziggo.nl.62633: Flags [.], ack 29, win 58, length 0
          09:27:10.224374 IP 192.168.0.15.ssh > 541C4274.cm-5-xx.dynamic.ziggo.nl.62633: Flags [P.], seq 1:40, ack 29, win 58, length 39
          09:27:10.236039 IP 541C4274.cm-5-xx.dynamic.ziggo.nl.62633 > 192.168.0.15.ssh: Flags [P.], seq 29:701, ack 40, win 256, length 672
          09:27:10.236493 IP 192.168.0.15.ssh > 541C4274.cm-5-xx.dynamic.ziggo.nl.62633: Flags [P.], seq 40:992, ack 701, win 60, length 952
          09:27:10.248046 IP 541C4274.cm-5-xx.dynamic.ziggo.nl.62633 > 192.168.0.15.ssh: Flags [P.], seq 701:725, ack 992, win 252, length 24
          09:27:10.252737 IP 192.168.0.15.ssh > 541C4274.cm-5-xx.dynamic.ziggo.nl.62633: Flags [P.], seq 992:1528, ack 725, win 60, length 536
          09:27:10.315680 IP 541C4274.cm-5-xx.dynamic.ziggo.nl.62633 > 192.168.0.15.ssh: Flags [.], ack 1528, win 256, length 0
          09:27:10.374259 IP 541C4274.cm-5-xx.dynamic.ziggo.nl.62633 > 192.168.0.15.ssh: Flags [P.], seq 725:1253, ack 1528, win 256, length 528
          09:27:10.392911 IP 192.168.0.15.ssh > 541C4274.cm-5-xx.dynamic.ziggo.nl.62633: Flags [P.], seq 1528:2632, ack 1253, win 63, length 1104
          09:27:10.455984 IP 541C4274.cm-5-xx.dynamic.ziggo.nl.62633 > 192.168.0.15.ssh: Flags [.], ack 2632, win 252, length 0
          09:27:10.515713 IP 541C4274.cm-5-xx.dynamic.ziggo.nl.62633 > 192.168.0.15.ssh: Flags [P.], seq 1253:1269, ack 2632, win 252, length 16
          09:27:10.515742 IP 541C4274.cm-5-xx.dynamic.ziggo.nl.62633 > 192.168.0.15.ssh: Flags [P.], seq 1269:1333, ack 2632, win 252, length 64
          09:27:10.516165 IP 192.168.0.15.ssh > 541C4274.cm-5-xx.dynamic.ziggo.nl.62633: Flags [.], ack 1333, win 63, length 0
          09:27:10.516276 IP 192.168.0.15.ssh > 541C4274.cm-5-xx.dynamic.ziggo.nl.62633: Flags [P.], seq 2632:2696, ack 1333, win 63, length 64
          09:27:10.577859 IP 541C4274.cm-5-xx.dynamic.ziggo.nl.62633 > 192.168.0.15.ssh: Flags [.], ack 2696, win 252, length 0

          Seems nat is not working properly.~~~~~~~~

          1 Reply Last reply Reply Quote 0
          • I
            isolatedvirus last edited by

            should the client be responding to traffic across both WAN's?

            it appears this question might be partially addressed by an older forum post:
            https://forum.pfsense.org/index.php?topic=5213.0

            have you tried using port forwards instead of 1:1 nat?

            1 Reply Last reply Reply Quote 0
            • W
              Woger last edited by

              I have several WAN interfaces (8 at the moment) and it should listen on just 1 interface. I'll try disabling NAT 1:1 for this interface and do portforwarding. Otherway around it is working fine; I can reach the internet from the local server, but it is still strange NAT 1:1 works fine for 7 interfaces but not for number 8.

              Thanks,
              Roger

              1 Reply Last reply Reply Quote 0
              • First post
                Last post

              Products

              • Platform Overview
              • TNSR
              • pfSense
              • Appliances

              Services

              • Training
              • Professional Services

              Support

              • Subscription Plans
              • Contact Support
              • Product Lifecycle
              • Documentation

              News

              • Media Coverage
              • Press
              • Events

              Resources

              • Blog
              • FAQ
              • Find a Partner
              • Resource Library
              • Security Information

              Company

              • About Us
              • Careers
              • Partners
              • Contact Us
              • Legal
              Our Mission

              We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

              Subscribe to our Newsletter

              Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

              © 2021 Rubicon Communications, LLC | Privacy Policy