Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cannot get NAT to work

    Scheduled Pinned Locked Moved General pfSense Questions
    2 Posts 1 Posters 368 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      myrantz
      last edited by

      Hi all, I have this weird problem with NAT and hope folks can point me to the right direction.

      I am trying to port forward 32400 from the WAN side to 32400 to internal machine.

      Here're some background:

      • Internet is via a VDSL modem (bridged mode).
      • VDSL modem is connected to my atom box running pfSense (em0). This interface is using DHCP for both IPv4 and IPv6.
      • Atom machine is a new install, but with an old config applied (was running pfSense in a VM until a few weeks ago)
      • pfSense box has a total of 6 ports. 4 are are configured as Lagg0 via LACP to a unifi US-48 switch. This trunk has 1 VLAN untagged + 5 VLANs (tagged).
      • Atom box is running pfBlockerng-devel and haProxy-devel
      • pfSense version is 2.4.4, haProxy-devel and pfBlockerNg-devel are both latest versions.
      • HAProxy and NAT are both getting requests from the WAN and route that traffic to a VLAN interface.
      • Under pfSense system -> advanced -> firewall & nat config. NAT reflection is set to pure NAT, 1.1 is on, and so is automatic outbound NAT.
      • Under firewall -> NAT -> Outbound. The mode is hybrid outbound. In here I have a mapping so I can access my bridged modem via the modem's internal IP network.

      Now here's the funny bit. HAProxy works just fine, but NAT don't work in this setup.

      If I click on the associated FW rule and turn on Logging, I can confirm from the firewall logs that it has passed (tick). But when I go to the forwarded VM, and run netstat, I get this (XXX is my internal IP, while yyyy is a public IPv4).

      192.168.xxx.xxx:32400   yyy.yyy.yyy.yyy:59310     SYN_RECV

      Now, here's the weird part. If I then go to Servers -> Captive Portal, create a zone and delete it. NAT will work. Meanwhile HAProxy connections are wonky, sometimes everything works, but there are times when some backends will work (and not others).

      And if I restart HAProxy (or the machine), NAT will break again.

      I'm guessing may have tainted the setup of my box when I uploaded the config from my old pfSense setup?

      BTW, have tried both haproxy and haproxy-devel, all seems to be the same. Both times to get NAT working I need to create a captive portal zone and delete it again.

      The reason I played with Captive portal is I found a passing reference of people with NAT issues, adding the IP into the allowed field and it all works again.

      I'm not sure if I should reinstall pfSense and configure from scratch, or configure captive portal (I don't really need this).

      Found a ticket here (https://redmine.pfsense.org/issues/8761) but can't tell if Acat L has created a thread on this or not (I tried searching to no avail).

      1 Reply Last reply Reply Quote 0
      • M
        myrantz
        last edited by

        Never mind. Found the problem.

        I'm trying to NAT to a host that's also used in HAProxy. Under HAProxy/Backend/advanced setting, I have turned on Transparent Proxy (So that my logs shows the correct incoming IP).

        This messed up NAT. Turn Transparent Client IP off and NAT works again.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.