Cannot get NAT to work



  • Hi all, I have this weird problem with NAT and hope folks can point me to the right direction.

    I am trying to port forward 32400 from the WAN side to 32400 to internal machine.

    Here're some background:

    • Internet is via a VDSL modem (bridged mode).
    • VDSL modem is connected to my atom box running pfSense (em0). This interface is using DHCP for both IPv4 and IPv6.
    • Atom machine is a new install, but with an old config applied (was running pfSense in a VM until a few weeks ago)
    • pfSense box has a total of 6 ports. 4 are are configured as Lagg0 via LACP to a unifi US-48 switch. This trunk has 1 VLAN untagged + 5 VLANs (tagged).
    • Atom box is running pfBlockerng-devel and haProxy-devel
    • pfSense version is 2.4.4, haProxy-devel and pfBlockerNg-devel are both latest versions.
    • HAProxy and NAT are both getting requests from the WAN and route that traffic to a VLAN interface.
    • Under pfSense system -> advanced -> firewall & nat config. NAT reflection is set to pure NAT, 1.1 is on, and so is automatic outbound NAT.
    • Under firewall -> NAT -> Outbound. The mode is hybrid outbound. In here I have a mapping so I can access my bridged modem via the modem's internal IP network.

    Now here's the funny bit. HAProxy works just fine, but NAT don't work in this setup.

    If I click on the associated FW rule and turn on Logging, I can confirm from the firewall logs that it has passed (tick). But when I go to the forwarded VM, and run netstat, I get this (XXX is my internal IP, while yyyy is a public IPv4).

    192.168.xxx.xxx:32400   yyy.yyy.yyy.yyy:59310     SYN_RECV
    

    Now, here's the weird part. If I then go to Servers -> Captive Portal, create a zone and delete it. NAT will work. Meanwhile HAProxy connections are wonky, sometimes everything works, but there are times when some backends will work (and not others).

    And if I restart HAProxy (or the machine), NAT will break again.

    I'm guessing may have tainted the setup of my box when I uploaded the config from my old pfSense setup?

    BTW, have tried both haproxy and haproxy-devel, all seems to be the same. Both times to get NAT working I need to create a captive portal zone and delete it again.

    The reason I played with Captive portal is I found a passing reference of people with NAT issues, adding the IP into the allowed field and it all works again.

    I'm not sure if I should reinstall pfSense and configure from scratch, or configure captive portal (I don't really need this).

    Found a ticket here (https://redmine.pfsense.org/issues/8761) but can't tell if Acat L has created a thread on this or not (I tried searching to no avail).



  • Never mind. Found the problem.

    I'm trying to NAT to a host that's also used in HAProxy. Under HAProxy/Backend/advanced setting, I have turned on Transparent Proxy (So that my logs shows the correct incoming IP).

    This messed up NAT. Turn Transparent Client IP off and NAT works again.