Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    simple NAT not working during outbound NAT part (for some VLAN, not ALL)

    NAT
    2
    5
    71
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • X
      Xourba last edited by

      Hello I face a NAT problem I cannot solve actually, let say for instance SSH, but it is not protocol dependent.
      The FW two WAN interfaces re1 and re2, (re2 has the default gateway and is the main WAN, and has for instance ip 1.1.100.100)

      I have several networks behind my LAN interface, using VLAN :
      VLAN 3 (interface re0_vlan3) voip (server 172.16.3.1/24)
      VLAN 4 (interface re0_vlan4) backup (server 172.16.4.1/24)
      I use for my tests external ip for instance 2.2.200.200 (this IP has also an SSH server).

      The FW can NAT with no issue to my voip server.
      The FW can outbound connect from my backup server.
      both networks 172.16.3.0/24 and 172.16.4.0/24 occur in the list of networks taken into account for the automatic generation of outbound NAT

      But FW cannot NAT correctly to my backup server. With this NAT, all my Tests show packets going to the backup server and coming back. The issue is that during the outbound, when the packet arrives at re0_vlan4, ip part is something like this :
      172.16.4.1.22 -> 2.2.200.200.Port
      and when it jumps to WAN Address re2, the source address is unchanged !!!

      When things goes wright, that is for instance using the VOIP server
      the packet at re0_vlan3 has ip part
      172.16.3.1.22 -> 2.2.200.200.port
      and NAT involves the packet ip part to be changed to
      1.1.100.100.2222 -> 2.2.200.200.port

      Does someone would have an idea how I can interpret and how to solve this issue.
      Thanks in advance.

      PS : sorry for the eventual lacks of my explanation.

      1 Reply Last reply Reply Quote 0
      • X
        Xourba last edited by

        Sorry for information Pfsense version is 2.3.2-RELEASE.

        1 Reply Last reply Reply Quote 0
        • jimp
          jimp Rebel Alliance Developer Netgate last edited by

          You need to upgrade to a current supported release before anyone can help. You could be hitting a bug that was solved years ago.

          That said, it's possible there is an existing state for the exact port combination your server is trying to use, which makes it fail to create a new state, so the traffic exits without NAT applied. It's rare, but it happens sometimes, especially with server software that insists on using specific source ports. There isn't enough detail in your post to say for sure what's happening.

          Upgrading should be your first priority.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • X
            Xourba last edited by

            Thanks for your answer, Jimp.

            1 Reply Last reply Reply Quote 0
            • X
              Xourba last edited by

              I will do an upgrade for this FW ASAP, but as it is a production, I can't do that as quick as I want.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post