1:1 binat outbound stopped working after upgrade.



  • We upgraded from 2.3 to the latest 2.4.3 yesterday, and we tracked down the issue to outbound connections not working with the 1:1 nat. If I click on no binat, the outbound connections go out the default firewall IP correctly. We have a proxy arps for the outside IPs with the 1:1 nat. I looked at packet captures, logs and and debug rules.

    Why would it try to send a syn packet on the outside interface after it was allowed by the dmz3 interface? I can't figure this out.

    Here is the logs when I try to iniate a connection behind the 1:1 nat without the ips:
    0_1528232994788_e61d0830-c94f-450f-9e4c-1d9a4cf74322-image.png



  • changed from proxy arp to ip alias, and now the 1:1 nat work was there a change on how this works in 2.4?



  • We have used IP Alias for many years so I can not say that I saw any changes. But have you seen this document?

    https://www.netgate.com/docs/pfsense/firewall/virtual-ip-address-feature-comparison.html?highlight=virtual

    I don't see anything that would suggest that your issue is known but maybe another set of eyes..



  • interesting, but after the upgrade I didn't see any arp entries on the WAN with arp proxy, I couldn't even ping the upstream gateway. Here is from your link:

    If a particular configuration does not work with IP alias or Proxy ARP type VIPs, try with a CARP VIP instead, or vice versa. Address or wait out the potential ARP concerns before declaring one particular type a failure, and always be on the lookout for IP conflicts.

    I didn't see any IP conflicts, but maybe the ARP table became corrupted.