1:1 binat outbound stopped working after upgrade.
-
We upgraded from 2.3 to the latest 2.4.3 yesterday, and we tracked down the issue to outbound connections not working with the 1:1 nat. If I click on no binat, the outbound connections go out the default firewall IP correctly. We have a proxy arps for the outside IPs with the 1:1 nat. I looked at packet captures, logs and and debug rules.
Why would it try to send a syn packet on the outside interface after it was allowed by the dmz3 interface? I can't figure this out.
Here is the logs when I try to iniate a connection behind the 1:1 nat without the ips:
-
changed from proxy arp to ip alias, and now the 1:1 nat work was there a change on how this works in 2.4?
-
We have used IP Alias for many years so I can not say that I saw any changes. But have you seen this document?
https://www.netgate.com/docs/pfsense/firewall/virtual-ip-address-feature-comparison.html?highlight=virtual
I don't see anything that would suggest that your issue is known but maybe another set of eyes..
-
interesting, but after the upgrade I didn't see any arp entries on the WAN with arp proxy, I couldn't even ping the upstream gateway. Here is from your link:
If a particular configuration does not work with IP alias or Proxy ARP type VIPs, try with a CARP VIP instead, or vice versa. Address or wait out the potential ARP concerns before declaring one particular type a failure, and always be on the lookout for IP conflicts.
I didn't see any IP conflicts, but maybe the ARP table became corrupted.