Cannot get NAT to work
-
Hi all, I have this weird problem with NAT and hope folks can point me to the right direction.
I am trying to port forward 32400 from the WAN side to 32400 to internal machine.
Here're some background:
- Internet is via a VDSL modem (bridged mode).
- VDSL modem is connected to my atom box running pfSense (em0). This interface is using DHCP for both IPv4 and IPv6.
- Atom machine is a new install, but with an old config applied (was running pfSense in a VM until a few weeks ago)
- pfSense box has a total of 6 ports. 4 are are configured as Lagg0 via LACP to a unifi US-48 switch. This trunk has 1 VLAN untagged + 5 VLANs (tagged).
- Atom box is running pfBlockerng-devel and haProxy-devel
- pfSense version is 2.4.4, haProxy-devel and pfBlockerNg-devel are both latest versions.
- HAProxy and NAT are both getting requests from the WAN and route that traffic to a VLAN interface.
- Under pfSense system -> advanced -> firewall & nat config. NAT reflection is set to pure NAT, 1.1 is on, and so is automatic outbound NAT.
- Under firewall -> NAT -> Outbound. The mode is hybrid outbound. In here I have a mapping so I can access my bridged modem via the modem's internal IP network.
Now here's the funny bit. HAProxy works just fine, but NAT don't work in this setup.
If I click on the associated FW rule and turn on Logging, I can confirm from the firewall logs that it has passed (tick). But when I go to the forwarded VM, and run netstat, I get this (XXX is my internal IP, while yyyy is a public IPv4).
192.168.xxx.xxx:32400 yyy.yyy.yyy.yyy:59310 SYN_RECV
Now, here's the weird part. If I then go to Servers -> Captive Portal, create a zone and delete it. NAT will work. Meanwhile HAProxy connections are wonky, sometimes everything works, but there are times when some backends will work (and not others).
And if I restart HAProxy (or the machine), NAT will break again.
I'm guessing may have tainted the setup of my box when I uploaded the config from my old pfSense setup?
BTW, have tried both haproxy and haproxy-devel, all seems to be the same. Both times to get NAT working I need to create a captive portal zone and delete it again.
The reason I played with Captive portal is I found a passing reference of people with NAT issues, adding the IP into the allowed field and it all works again.
I'm not sure if I should reinstall pfSense and configure from scratch, or configure captive portal (I don't really need this).
Found a ticket here (https://redmine.pfsense.org/issues/8761) but can't tell if Acat L has created a thread on this or not (I tried searching to no avail).
-
Never mind. Found the problem.
I'm trying to NAT to a host that's also used in HAProxy. Under HAProxy/Backend/advanced setting, I have turned on Transparent Proxy (So that my logs shows the correct incoming IP).
This messed up NAT. Turn Transparent Client IP off and NAT works again.