NAT'ing
-
Rules on LAN have nothing to do with 1:1 NAT. LAN passes traffic outbound. 1:1 NAT might translate the same on its way out WAN.
The only thing you might have been doing is bad policy routing.
Glad it's working.
-
I wholeheartedly agree that LAN rules should NOT affect 1:1 NAT. However, on pfSense 2.4.1 & 2.3.5 it does. Try experimenting with it some. You should see the exact behavior. I can replicate the behavior every time. May just be what we refer to as an "undocumented feature" ;)
I still can't thank you folks enough for the help. I had been struggling with this for several weeks and was at my wits-end!
BLESS YOU BOTH!!!
Sig -
No, it doesn't. (Try experimenting with it some… Umm.)
The traffic is either passed on LAN or it is not.
IF you are trying to do NAT reflection then you do need to be sure traffic is passed on LAN to the NAT destination address on LAN which makes no sense except when NAT reflection is involved.
-
Yeah lan rules have nothing to do with whatever your problem was..
-
Peace bro's. Just stating my observations. As a peace offering my config is attached with the public "IPs" changed to protect the innocent. You can see for yourself how extremely simple my configuration is. Almost everything is as it was at installation complete and reboot…
(Try experimenting with it some… Umm.)
Yes, it is called "regression testing". Someone, somewhere has a lab (or even a virtual environment) with the ability to load such up and test it. I would hope!
IF you are trying to do NAT reflection then you do need to be sure traffic is passed on LAN to the NAT destination address on LAN which makes no sense except when NAT reflection is involved.
NAT reflection is set to "System Default" which equates to YES as can be seen in the config.
Look, I get it. You get folks all the time that make outlandish claims which may or may not be relevant to a perceived problem they are experiencing. I am no Network Engineer and don't claim to be. Not even a novice at it. But once in that blue moon, someone will come along with something that should not happen or be related to the reported problem. Is it not worth investigation before execution of the defendant? Sometimes? Maybe?
I am not saying the issue and ultimate resolution are related nor that the two are mutually inclusive, just, as Joe Friday would say, I am providing "just the facts ma'am"!Sig
-
The way to accomplish that is to develop a specific set of steps from a default configuration that produces the result you think is unexpected.
I work will pfSense all day every day for a living and have a lab of at least 8 pfSense devices at-the-ready to prove or disprove things like this (see my sig - that lab always exists and then some). But I will not waste time on wild goose chases, so define the steps necessary to duplicate your phenomenon.
What you are stating is incorrect. 1:1 NAT is completely irrelevant to LAN rules unless, maybe, NAT reflection is involved.
Since you don't even know what that is, I can only presume that is not the case.
I might find time to look at that config this weekend.
-
What you are stating is incorrect. 1:1 NAT is completely irrelevant to LAN rules unless, maybe, NAT reflection is involved.
How is my statement incorrect? I thought I was stating exactly that except that I did not realize, NAT reflection could be a contributing factor. I think we are in violent agreement. But I am getting old and my perception can be skewed… sometimes!
As far as development of a set of use case steps from the default configuration, no thanks. I am a software engineer, not a systems engineer! Although the line of demarcation does get blurry occasionally. I have a 3 hour commute to work everyday, work 10 hours and try to sleep for at least 7, binge watching "Supernatural" in the couple of hours I have at home each weeknight. The weekends are spent building custom firearms for folks breathing down my neck since I have a 6 month backlog that has turned into 9.
AGAIN, thanks for the direction, advice and time taken to even address my issue!!!
Sig -
Lets keep in mind that more than likely there was NOTHING wrong… Those blocks where out of state traffic, look all of it to be outbound to me..
For all we know his wan went down and reset states and so yeah going to see SA and A blocks on the lan..
One statement sound to me like he was trying to get nat reflection to work. Which yeah is not going to unless setup, and to be honest is not needed in 999/1000 cases.. if not alll 1000.. Its a hack to be sure and should be avoided anyway.
-
I started to just leave your statements alone. However, you are doing the present/future readers of this post an injustice by stating such. So, yes, if enticing me was your goal, congratulations! However, no "social justice" participation trophy will be awarded as a result…
Lets keep in mind that more than likely there was NOTHING wrong…
There WAS something wrong. I had been working on this for weeks and know enough about networking that I am 100% sure an issue existed (and might AGAIN add, can be reproduced). My son, which is an NE himself, even acknowledged there was a problem. No, he is not a pfSense SME but for one NE to claim premadonna status over another just discredits yourself. That is sad!
For all we know his wan went down and reset states
uuhhh, NO. This statement is a total farce! My WAN would have to be in a constant state of instability. You're kidding, right?
One statement sound to me like he was trying to get nat reflection to work.
WHAT THE HELL! NAT reflection for those that are too lazy to google it is nothing more than a mapping for LAN entities to be able to resolve a WAN IP that actually exist within the LAN without hitting the WAN itself. Sorry but I don't host google's DNS servers, amazon.com or even ebay.com. I could not even recall the HUNDREDS of public names/IPs I was tried resolving over the last few weeks. I did NOTHING with NAT reflection. The friggin 1:1 NAT would not work so why would I have been messing with NAT reflection, Jesus…
You know, I HAD a pretty high opinion of you guys. However, that opinion is a mere dwarf of the star it once was. I really don't get it. Can't fathom what the motivation might be for wanting to discredit people that hit this forum immediately. I let it roll off the first time but to do it again, nah.
Since I am no psychologist, this is only a guess but one of two thing are in play here. Either, you are actually sitting in your momma's basement and get your jollies off on flaming folks on this and other forums OR you are actual NE's that have been passed over and over and over again for promotion and simply have a thorn up your ass the size of Rhode Island because of it (and socially inept as well)You guys keep on keepin on. The contribution you could actually be making, to make someones life a little less miserable, really makes me sad. It really does...
-
Specific steps to duplicate would go a long way to receiving more cooperation.
The number of times someone comes here saying they found a bug is probably 1000 misconfigurations/misunderstandings to every 1 actual problem found. And those problems are almost never in simple things like NAT.
Apologies for soliciting actual details. Too bad you're too busy to provide them.
-
what???
Dude you have yet to show something wrong… Sorry but that is FACT!!! A firewall will block out of state traffic... All the blocks you were showing were out of state.. They were not SYN blocks..
Calling it anything other than PEBKAC is what would be out of line here... Sorry been here 10 years... If I had a nickel for every time someone said is this a bug... And bought cryptocoin with it I would be on my island with the yacht with its helicopter in the bay sipping a cold drink with my toes in the water and my ass in the sand.
Vs still here listening to people ask what is wrong, but can not provide any details to show the problem..
When you want to show us an actual problem that can not be explained by simple PEBKAC.. Then happy to help.. But sorry someone that would put a rule on interface that could never happen... Like you had shows clearly you do not understand how any of this actually works..
For future readers.. What exactly was not working here? Other than you seeing some out of state blocks in your log? Nat reflection??
Where is the state showing pfsense sent traffic to IP address 123 via 1:1 nat and then blocked the SA back??
