Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    1:1 binat outbound stopped working after upgrade.

    Scheduled Pinned Locked Moved NAT
    4 Posts 2 Posters 527 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      grulag
      last edited by grulag

      We upgraded from 2.3 to the latest 2.4.3 yesterday, and we tracked down the issue to outbound connections not working with the 1:1 nat. If I click on no binat, the outbound connections go out the default firewall IP correctly. We have a proxy arps for the outside IPs with the 1:1 nat. I looked at packet captures, logs and and debug rules.

      Why would it try to send a syn packet on the outside interface after it was allowed by the dmz3 interface? I can't figure this out.

      Here is the logs when I try to iniate a connection behind the 1:1 nat without the ips:
      0_1528232994788_e61d0830-c94f-450f-9e4c-1d9a4cf74322-image.png

      1 Reply Last reply Reply Quote 0
      • G
        grulag
        last edited by

        changed from proxy arp to ip alias, and now the 1:1 nat work was there a change on how this works in 2.4?

        1 Reply Last reply Reply Quote 0
        • chpalmerC
          chpalmer
          last edited by

          We have used IP Alias for many years so I can not say that I saw any changes. But have you seen this document?

          https://www.netgate.com/docs/pfsense/firewall/virtual-ip-address-feature-comparison.html?highlight=virtual

          I don't see anything that would suggest that your issue is known but maybe another set of eyes..

          Triggering snowflakes one by one..
          Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

          1 Reply Last reply Reply Quote 0
          • G
            grulag
            last edited by

            interesting, but after the upgrade I didn't see any arp entries on the WAN with arp proxy, I couldn't even ping the upstream gateway. Here is from your link:

            If a particular configuration does not work with IP alias or Proxy ARP type VIPs, try with a CARP VIP instead, or vice versa. Address or wait out the potential ARP concerns before declaring one particular type a failure, and always be on the lookout for IP conflicts.

            I didn't see any IP conflicts, but maybe the ARP table became corrupted.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.