Solved: Problems with NAT on Virtual IP



  • Hi,

    I have suddenly problems with an configuration that worked for a long time, problems exist maybe since the last update (The connection is not used every day, so I can't determine the exact time):

    2.3.4-RELEASE-p1

    I have defined an VirtualIP, and corresponding NAT rule:

    WAN TCP * * "VirtualIP" 443 (HTTPS) 192.168.28.18 443 (HTTPS)

    There ist a corresponding automatic generated Firewall rule, and I have Automatic outbound NAT rule generation.

    Since a few days i have the problem that the firewall blocks the outgoing NAT-Traffic, some lines form the log:

    Aug 2 10:56:00 LAN 192.168.28.18:443 80.187.101.26:1261 TCP:SA
    Aug 2 10:56:06 LAN 192.168.28.18:443 80.187.101.26:1063 TCP:R
    Aug 2 10:56:09 LAN 192.168.28.18:443 80.187.101.26:1147 TCP:R
    Aug 2 10:56:12 LAN 192.168.28.18:443 80.187.101.26:1261 TCP:R
    Aug 2 10:57:40 LAN 192.168.28.18:443 80.187.101.26:6406 TCP:SA
    Aug 2 10:57:43 LAN 192.168.28.18:443 80.187.101.26:6406 TCP:SA
    Aug 2 10:57:49 LAN 192.168.28.18:443 80.187.101.26:6406 TCP:SA

    I tried to reconfigure all the rules, i tried to switch to Manual Outbound NAT rule generation, but nothing helps.

    As I mentioned above, this rules worked for more than a year till last week….

    Thank for your support!

    Wolfgang


  • LAYER 8 Netgate

    Are you actually experiencing a connectivity problem or are you just seeing firewall log entries?

    https://doc.pfsense.org/index.php/Why_do_my_logs_show_"blocked"_for_traffic_from_a_legitimate_connection

    Actual blocked connections will show up as TCP:S for SYN.

    https://en.wikipedia.org/wiki/Transmission_Control_Protocol#Connection_establishment

    Also, all those logs are on LAN which further proves the already-closed states.

    An actual blocked connection would be logged on the WAN interface.



  • Sorry, this Post can be closed, it was an Pebkac….

    I have an backup firewall and I forgot to disable the WAN Interface on this machine after the last update, so the Backup machine grabbed the VirtualIP first.... The gateway is on the production machine and so the firewall blocked the traffic....

    Thanks

    Wolfgang


Log in to reply