VIPs & 1:1 NAT being Blocked by Anti-Spoof Rule



  • The background:
    I am taking over the role of managing a pfSense XG-7100 that has been configured with VIPs and 1:1 NAT.
    It seems the person before me was not as skilled in setting things up, so I am cleaning up issues with the router.

    In my cleaning I discovered VIPs were set to /32, instead of /24 and I fixed that.
    The client was complaining of specific ports not going through the 1:1 NAT; and as an experiment, I created a port forward on top of the 1:1 and the ports started working. Weird... Remove the port forward and re-enable the same firewall rule, port is blocked.

    I know other ports work fine with the 1:1 + firewall rules, but when it's specifically port forwarded + matching rules it works 100%.

    Additionally the client is mentioning a host with a VIP cannot reach certain sites from the LAN side of the router. The logs at the time indicated seeing the LAN IP of the device hitting the WAN interface on the pfSense. How the hell does that happen?!


  • Netgate

    You probably need to post your 1:1 NAT rules, port forward rules, and the rules on that WAN interface. Then be specific about what connections are not working, such as protocol, source address (outside is probably good enough) and destination address and port.

    When connecting into WAN, the port forwards will be processed first, then 1:1 NAT. Note that 1:1 NAT does not automatically add WAN rules as port forwards can do. In either case the WAN rules need to pass to the POST NAT address/port (the real, listening address/port on the destination server).

    Additionally the client is mentioning a host with a VIP cannot reach certain sites from the LAN side of the router. The logs at the time indicated seeing the LAN IP of the device hitting the WAN interface on the pfSense. How the hell does that happen?!

    Probably Outbound NAT. I would separate these two issues and treat them separately.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy