1:1 NAT on CARP VIP - Inbound works great, problems with outbound
-
I'm tearing my hair out over a bizarre issue that seems to be related to NAT configuration. Dollars to donuts I've misconfigured something, but I'll be darned if I can figure out what it is.
I've got a dual-pfSense configuration set up with CARP between the two boxes. We've got multiple public IP addresses addresses set up as CARP Virtual IP's. There are three 1:1 NAT's set up (for public-facing web servers).
So, essentially, we've got a 1:1 NAT between (public) 207.XX.XX.85 and (private) 192.168.1.22, with the expectation that any outbound traffic that comes out of the 192.168.1.22 machine will go out on the 207.XX.XX.85 public address.
For traffic that originates outside and comes in to the web servers, everything works flawlessly. Traffic comes in on the public IP and is directed via the 1:1 NAT to the right server, which is able to respond and serve up the page. Everything's great.
The problem that I'm having has to do with traffic that originates on the NATted server and is going outbound…specifically web traffic (hitting a remote server on port 80). For some reason, it isn't working properly.
This came to light with a new website design that uses PHP and curl to do a fetch of a remote website. The script was timing out. To test the outbound fetch, I went on the server (it's SuSE Linux, command-line only) and did a wget to the same URL. This reported that the connection was made to the remote server on port 80, but then it timed out waiting for content. HOWEVER, in checking the log files on the target server, I don't see any connection from one of our public IP's.
To add some intrigue to the whole thing, a wget to an outside FTP server works fine! I have this vague suspicion that this "userland FTP helper" dealie is the reason for that.
For firewall rules, on the LAN tab, I have a rule that allows ALL traffic (regardless of source or destination); all rules are set up on the WAN tab. For WAN, I have added two rules that should allow ALL traffic to pass with this specific target server -- one that allows all traffic with a source of the target IP, the other with a destination of the target IP.
On the NAT Outbound tab, I have the "Automatic Outbound NAT rule generation" option selected, with the expectation
We're running 1.2-RELEASE.
Any ideas what could be causing this? This is a huge problem, as we have to get this new website up and running as soon as possible. Any insights are greatly appreciated.
Regards,
Eric Longman -
Can you show a screenshot of your rules?
Also is this remot Server behind the same pfSense and you're trying to access it via its public IP?
Or is it somewhere entirely else? -
I've attached a screen shot of the ruleset.
The remote server is NOT behind this pfSense, and is completely remote to the entire setup.
-
I meant the LAN-rules since your problem is with outgoing traffic.
The WAN rules are irrelevant for outbound connections. -
Ahh. Sorry. That's a whole lot more boring…
-
Now that is strange…
But connections from this computer to other destinations do work?
Do you have anything in the firewall log? -
Do you have anything in the firewall log?
As a add to this place a rule above with the servers ip as source and tick log.
Diagnostics -> Packet Capture can also be helpful.
Did you try wget to another server?
