4. simple NAT not working during outbound NAT part (for some VLAN, not ALL)

simple NAT not working during outbound NAT part (for some VLAN, not ALL)

  • X

    Hello I face a NAT problem I cannot solve actually, let say for instance SSH, but it is not protocol dependent.
    The FW two WAN interfaces re1 and re2, (re2 has the default gateway and is the main WAN, and has for instance ip 1.1.100.100)

    I have several networks behind my LAN interface, using VLAN :
    VLAN 3 (interface re0_vlan3) voip (server 172.16.3.1/24)
    VLAN 4 (interface re0_vlan4) backup (server 172.16.4.1/24)
    I use for my tests external ip for instance 2.2.200.200 (this IP has also an SSH server).

    The FW can NAT with no issue to my voip server.
    The FW can outbound connect from my backup server.
    both networks 172.16.3.0/24 and 172.16.4.0/24 occur in the list of networks taken into account for the automatic generation of outbound NAT

    But FW cannot NAT correctly to my backup server. With this NAT, all my Tests show packets going to the backup server and coming back. The issue is that during the outbound, when the packet arrives at re0_vlan4, ip part is something like this :
    172.16.4.1.22 -> 2.2.200.200.Port
    and when it jumps to WAN Address re2, the source address is unchanged !!!

    When things goes wright, that is for instance using the VOIP server
    the packet at re0_vlan3 has ip part
    172.16.3.1.22 -> 2.2.200.200.port
    and NAT involves the packet ip part to be changed to
    1.1.100.100.2222 -> 2.2.200.200.port

    Does someone would have an idea how I can interpret and how to solve this issue.
    Thanks in advance.

    PS : sorry for the eventual lacks of my explanation.

    0
  • X

    Sorry for information Pfsense version is 2.3.2-RELEASE.

    0
  • Rebel Alliance Developer Netgate

    You need to upgrade to a current supported release before anyone can help. You could be hitting a bug that was solved years ago.

    That said, it's possible there is an existing state for the exact port combination your server is trying to use, which makes it fail to create a new state, so the traffic exits without NAT applied. It's rare, but it happens sometimes, especially with server software that insists on using specific source ports. There isn't enough detail in your post to say for sure what's happening.

    Upgrading should be your first priority.

    0
  • X

    Thanks for your answer, Jimp.

    0
  • X

    I will do an upgrade for this FW ASAP, but as it is a production, I can't do that as quick as I want.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy