Incoming traffic to 1:1 NAT targets get's confused once in a great while



  • Our pfSense firewall is at version 2.3.4.  We have a Cox broadband connection with the standard static IP plus a CIDR block of 16 "/28" addresses.

    For each address we are using in the CIDR block (9 of the 16) we have both a virtual IP and a 1:1 NAT entry.

    We then define regular NAT port forwarding, just for the ports we have external services listening on.

    For almost three years this has been working fine. But in the last six months we are seeing a request to one of the virtual IPs return a response from a server that is assigned to a different virtual IP.

    The problem only happens every two or three weeks, usually just a handful of times. We've been able to capture the request/responses in using the browser's web control panel and then look in the server logs  to see the response being returned.

    We've re-reviewed our rules and they seem right. We've also got logging turned on for the corresponding firewall rules, but that does not really help much.

    Does anyone have any idea on how we might isolate the problem or what the problem might be?

    Thank you much - Richard


  • Rebel Alliance Developer Netgate

    So you have 1:1 NAT and then port forwards defined on top with the same destinations? That isn't necessary. You only need 1:1 NAT + Firewall rules.

    Port forwards take precedence over 1:1 NAT on the inbound traffic, so your 1:1 NAT may be fine, but if something happened to the port forward then it may misbehave.

    Are you using aliases anywhere in the port forwards? Anything special in the destinations?



  • Jim,
    I am so sorry - I missed your response on this. I know it's been six months, but the problem reared it's head again.

    If I understand correctly, you are saying that the combination of NAT port forwarding and 1:1 NAT to my virtual IP's assigned to the CIDR block "could" be causing the issue when you say this "… if something happened to the port forward then it may misbehave.".

    It's a weird too as often getting the remote user to clear their browser cache causes the problem to go away - but other times it takes a day.

    We had been using NAT port forwarding in conjunction with 1:1 NAT to try and conserve our static IP's  - but it sounds like it might be safer to just do the 1:1 NAT and not port forwards.

    Is there any way to further pin this down? I have correlated Chrome browser network requests, with pfSense firewall logs and the request logs on the two web servers involved.  I can pretty clearly see where the first six requests from the browser are all to the IP address of the first web server, but pfSense shows the sixth request gets NATed to a different server - but of course no rationale for why it did that.

    UPDATE: Yes we are also using aliases a good bit. What type of issues might that cause?

    Thank you again - Richard