Cannot get NAT to work

  • Hi all, I have this weird problem with NAT and hope folks can point me to the right direction.

    I am trying to port forward 32400 from the WAN side to 32400 to internal machine.

    Here're some background:

    • Internet is via a VDSL modem (bridged mode).
    • VDSL modem is connected to my atom box running pfSense (em0). This interface is using DHCP for both IPv4 and IPv6.
    • Atom machine is a new install, but with an old config applied (was running pfSense in a VM until a few weeks ago)
    • pfSense box has a total of 6 ports. 4 are are configured as Lagg0 via LACP to a unifi US-48 switch. This trunk has 1 VLAN untagged + 5 VLANs (tagged).
    • Atom box is running pfBlockerng-devel and haProxy-devel
    • pfSense version is 2.4.4, haProxy-devel and pfBlockerNg-devel are both latest versions.
    • HAProxy and NAT are both getting requests from the WAN and route that traffic to a VLAN interface.
    • Under pfSense system -> advanced -> firewall & nat config. NAT reflection is set to pure NAT, 1.1 is on, and so is automatic outbound NAT.
    • Under firewall -> NAT -> Outbound. The mode is hybrid outbound. In here I have a mapping so I can access my bridged modem via the modem's internal IP network.

    Now here's the funny bit. HAProxy works just fine, but NAT don't work in this setup.

    If I click on the associated FW rule and turn on Logging, I can confirm from the firewall logs that it has passed (tick). But when I go to the forwarded VM, and run netstat, I get this (XXX is my internal IP, while yyyy is a public IPv4).   yyy.yyy.yyy.yyy:59310     SYN_RECV

    Now, here's the weird part. If I then go to Servers -> Captive Portal, create a zone and delete it. NAT will work. Meanwhile HAProxy connections are wonky, sometimes everything works, but there are times when some backends will work (and not others).

    And if I restart HAProxy (or the machine), NAT will break again.

    I'm guessing may have tainted the setup of my box when I uploaded the config from my old pfSense setup?

    BTW, have tried both haproxy and haproxy-devel, all seems to be the same. Both times to get NAT working I need to create a captive portal zone and delete it again.

    The reason I played with Captive portal is I found a passing reference of people with NAT issues, adding the IP into the allowed field and it all works again.

    I'm not sure if I should reinstall pfSense and configure from scratch, or configure captive portal (I don't really need this).

    Found a ticket here ( but can't tell if Acat L has created a thread on this or not (I tried searching to no avail).

  • Never mind. Found the problem.

    I'm trying to NAT to a host that's also used in HAProxy. Under HAProxy/Backend/advanced setting, I have turned on Transparent Proxy (So that my logs shows the correct incoming IP).

    This messed up NAT. Turn Transparent Client IP off and NAT works again.

Log in to reply