Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] NAT broke after 2.4.0 upgrade

    Scheduled Pinned Locked Moved NAT
    4 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mlanner
      last edited by

      Or at least that's my working theory right now.

      Under 2.3 I had a few NAT port forwarding rules for SSH setup from WAN to DMZ addresses on one of my firewalls. It's been working for years through many, many upgrades. Suddenly, after upgrade to 2.4.0, it's not working anymore.

      How did I conclude NAT broke? This is what I've tested so far:

      • Firewall rules applied directly to the WAN interface, like OpenVPN, works fine.
      • If I'm behind the firewall, or VPN'd in, I can SSH to the same machines without a problem.
      • My WAN IP subnet is defined as individual Proxy ARP VIPs.
          * Each VIP is defined as a /32.
      • My NAT rules used aliases for both the internal IPs and ports.
          * I've tested not using aliases in my NAT statements. It doesn't make a difference.
          * I've  tested deleting the old NAT statements and recreated them. No go.

      I'm sure I must have missed something in release notes or whatever, but I feel I've tried everything I can think of now and still can't get back to a working state.

      I also found this https://forum.pfsense.org/index.php?topic=133169.msg731990#msg731990 post, which seems to indicate that aliases could be a problem. Since I've tried removing aliases and even recreating the NAT statements, I don't think that's it.

      1 Reply Last reply Reply Quote 0
      • arrmoA
        arrmo
        last edited by

        Yep, with the IP address hard coded - all works fine. I'm afraid to change it back now to test … ;).

        1 Reply Last reply Reply Quote 0
        • M
          mlanner
          last edited by

          @arrmo

          I still can't get it to work with hard coded addresses instead of aliases. However, I think I've narrowed it down to using Virtual IPs. If I move a rule from using a "Virtual IP" with "Proxy ARP" to instead use my "WAN address", as defined by pfSense, it does work properly and does the NAT as expected. Obviously, that's an issue. I see other people also having similar problems.

          1 Reply Last reply Reply Quote 0
          • M
            mlanner
            last edited by

            SOLVED!

            The problem with my setup was that I was using Proxy ARP for my VIPs. Obviously, as noted earlier, Proxy ARP has worked flawlessly up until the 2.4 release. Once I changed Proxy ARP to IP Alias, things started working again. For my Proxy ARP setup, I used to create the VIPs as /32. With my new IP Alias setup, I have adjusted the VIP to match the WAN subnet provided by my ISP.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.