All Inbound NAT connections suddently not working
-
I'm on version 2.4.4-RELEASE-p1 (amd64). Topology consists of two WAN connections (one PPPoE, one Static IP). This have been working as is for several months. On the last 24 hours I determined that no inbound connections for services offered via NAT work. What have I tested so far:
-
Outbound (LAN>WAN) connectivity works.
-
No inbound connections succeed. This is the case regardless of the service offered (DVR, Web Server, IMAP Server, SMTP Server).
-
The services are working. E.g., They are accessible via LAN, email delivery to the outside world works.
-
I tested one of the WAN connections outside PFsense, by connecting the modem directly to a notebook, and running iperf3 between a third device (Smartphone on a 4G Network) and the notebook. The test was successful, so this rules out any blocking on the ISP/Modem.
-
I added logging the the auto-created firewall rule, and I noticed that the inbound connection gets a pass ('green check mark').
-
I used the packet capture tool and I see only packets from the external source. I see a SYN, and then a bunch of TCP Retransmissions, and finally the connection times out.
So what else should I try?
-
-
Are you testing from the LAN side or WAN side? Have you rebooted it? You might want to upgrade it since you're a bit behind the current version.
-
@ThaBozz said in All Inbound NAT connections suddently not working:
I used the packet capture tool and I see only packets from the external source. I see a SYN, and then a bunch of TCP Retransmissions, and finally the connection times out.
Did you packet capture on the inside interface to see if the SYN was being sent to the target server? That would be the next step there.
-
@KOM Yup, tried rebooting to no avail. Regarding the version - the web UI does not offer an option to upgrade. I see on the website that 2.4.4-p3 is available, but the dashboard states that 2.4.4-RELEASE-p1 is up to date. Strange. Maybe because it is a point release?
-
No, it should be offering you the p3 upgrade. Is this 32-bit?
Also, you didn't say whether you were doing your testing from your LAN or from the Internet.
-
There is no 32-bit 2.4.4-p1.
Sounds like you have plenty of stuff broken.
Can your firewall resolve names in Diagnostics > DNS Lookup?
If you Diagnostics > Test Port to files00.netgate.com port 443 does it work?
-
@KOM said in All Inbound NAT connections suddently not working:
No, it should be offering you the p3 upgrade. Is this 32-bit?
Also, you didn't say whether you were doing your testing from your LAN or from the Internet.
It is x86-64. All connection tests are being made from a the internet (Iperf3 -c running over LTE on a smartphone/notebook).
-
@Derelict said in All Inbound NAT connections suddently not working:
There is no 32-bit 2.4.4-p1.
Sounds like you have plenty of stuff broken.
Can your firewall resolve names in Diagnostics > DNS Lookup?
If you Diagnostics > Test Port to files00.netgate.com port 443 does it work?
Diagnostics > DNS Lookup for google.com
Result Record type
172.217.28.14 A
2800:3f0:4001:805::200e AAAA
Timings
Name server Query time
127.0.0.1 4 msec
8.8.4.4 3 msec
8.8.8.8 No responseDiagnostics > Test Port to files00.netgate.com port 443:
Port test to host: files00.netgate.com Port: 443 successful.
(Note: I have to specify WAN1 as the source address - if I let the combo box at "Any", it fails)
-
Yeah I don't like that 8.8.8.8 failing.
You probably want to look at how your DNS is configured vs and gateway monitor IP address vs any gateways set on the DNS Servers in System > General.
-
@ThaBozz Brainfart on my part. I forgot that x86 builds stopped with 2.3.5.
-
Ok, in the end I nuked everything from orbit and reconfigured from scratch. It is working fine. Thanks for all the help.
