NAT 1:1 issue



  • It doesn't seem to work

    I have a /29 subnet (255.255.255.248)

    pfsense is x.x.x.185
    1:1 nat is x.x.x.186

    I go to 1:1 NAT
    Set x.x.x.186 as external
    Set 10.0.3.1 as internal (both with /32)

    Doesn't work my IP is still x.x.x.185
    And I can't ping x.x.x.186

    ???



  • @charles.regan:

    It doesn't seem to work

    I have a /29 subnet (255.255.255.248)

    pfsense is x.x.x.185
    1:1 nat is x.x.x.186

    I go to 1:1 NAT
    Set x.x.x.186 as external
    Set 10.0.1.254 as internal (both with /32)

    Doesn't work my IP is still x.x.x.185
    And I can't ping x.x.x.186

    ???

    Please show me the related entries (binat) from /tmp/rules.debug



  • binat on rl1 from 10.0.3.1/32 to any -> 111.111.134.186/32



  • @charles.regan:

    I go to 1:1 NAT
    Set x.x.x.186 as external
    Set 10.0.3.1 as internal (both with /32)

    You have to add new Virtual IP (type: proxy arp, IP x.x.x.186/32) in Firewall->Virtual IPs.
    Also you should add firewall rule to allow traffic from * to 10.0.3.1 on WAN interface, so the machine can be accessable from the internet



  • @m1s1u:

    @charles.regan:

    I go to 1:1 NAT
    Set x.x.x.186 as external
    Set 10.0.3.1 as internal (both with /32)

    You have to add new Virtual IP (type: proxy arp, IP x.x.x.186/32) in Firewall->Virtual IPs.
    Also you should add firewall rule to allow traffic from * to 10.0.3.1 on WAN interface, so the machine can be accessable from the internet

    Oh-man.
    That was also what was missing at my setup.

    Thanks a lot!

    cheers,
    Rainer



  • It's always astonishing how things start working automagically when you do it right  ;D

    We have to start documentating things soon  ;)



  • Yes it works!  :) Thanks alot!



  • Hoba… any chance that 1:1 NAT can get some scripting to open up the firewall (with a check box to opt out) and automatic adding of a virtual IP? It would be nice to reduce the number of steps which would reduce the amount of needed documentation.



  • What you are talking about is something like a wizard that goes through the 3 steps:

    1: Ask for external IP and set up the Virtual IP for it with checkbox PARP/CARP/Other
    2: Ask for internal IP and create a 1:1 for the VIP and the Internal IP
    3: Ask which ports/ranges to open for that mapping

    Atm only the trafficshaper and the initial wizard is available but there are many more things where a wizard might make sense. We should consider more wizards for pfSense 1.1  ;D



  • i was thinking more along the lines of the current 1:1 NAT 'add' page but with a unchecked check box that says "create firewall rule to allow all traffic to pass through this NAT mapping". I suppose similar to a DMZ. In the background process the additional virtual IP would be added based on the WAN IP address field. No three part wizard needed in this case. Just a check box and some code to generate the Virtual IP address and firewall rule. –just my 2c



  • New discovery; I found that you must add the 1:1 NAT translations BEFORE adding the Virtual IPs. It seems to matter, though I wouldn't have expected it to.

    Also… it seems that I have lost NAT reflection. If i am at {204.10.2.125 mapped to 10.0.2.150} and I try to access {204.10.2.123 which maps to 10.0.2.80 on port 9000} it won't work. My situation is slightly more complicated that above, but I have another pfSense router that is doing the same and the address that I am trying from is NOT 1:1 mapped. (yes, the 'disable reflection' check box is not checked) Is this a bug? What can I look at or how can I test it?



  • NAT Reflection only will be allowed for up to 19000 forwarded ports (I think that is the value we limited it to for some reason). A 1:1 mapping would for sure exceed that range. NAT Reflection isn't done for 1:1s.
    Single port or range portforwards should still work I think unless you exceed the above mentioned limit.

    The order in which you create the 1:1/VIP shouldn't matter. That one needs checking then.



  • NAT reflection is not applied for 1:1.  Too many ports redirected (all of them).



  • I use NAT a lot, but there is obviously lots of things that I don't understand about it. I hope that this reflection issue can be resolved. I haven't experienced such a problem on other platforms (2 linux based and 2 Cisco) so I would guess that this isn't insurmountable. I don't really understand this 19000 port restriction. Are these numbers of ports?

    I was expecting that if a LAN client asks for a web page from one of the Virtual IP addresses, that the packets for the request would go from the LAN client, to the router; the router would then see that the destination was one of it's own VIPs and then redirect the packets back to the LAN server; The the requested packet would go from the LAN server to the router. Seeing that the request came from the router's own primary IP, it would then consult the NAT tables to see where the original request came from. Am I off the mark on how this works?

    Maybe I am using the wrong terminology. The main point is that if the LAN client is mobile and is sometimes coming from the WAN (me at home versus me at the Office), it shouldn't have to use two separate IP addresses, right? I have problems with other LAN IP addresses not reflecting in cases where they are NOT 1:1 NAT'd, too



  • Can I use the firewall to force the not reflected NAT traffic upstream to the next router which would then send the packets back at it via the VIP?



  • Are you sure that you are referring to nat reflection correctly?

    http://www.openbsd.org/faq/pf/rdr.html#reflect



  • @sullrich:

    Are you sure that you are referring to nat reflection correctly?

    http://www.openbsd.org/faq/pf/rdr.html#reflect

    If you are asking whether the above link represents what I am trying, then yes, I think. With the exception that I am not just talking about a single port mapping but 1:1 NATing. The link does describe what I am experiencing.



  • Hello there, I am having a similar problem with NAT 1:1 and Reflection. I cannot access any of my virtual ip addresses that are setup in NAT 1:1 even wth NAT Reflection Enabled.

    Hopefully someone can clarify, from what I can tell from the forum and other responses is it true that NAT Reflection will NOT work on Virtual IP Addresses that have been assigned through NAT 1:1, BUT it will work on any addresses you setup within NAT port Forwarding?

    So if you want to be able to access External/Virtual IP addresses from within the LAN is it true you need to

    1. Enabled NAT Reflection and
    2. Make sure if those addressses are using NAT the ports you are accessing internally are setup within NAT Port Forwarding for those you are accessing?

    Thanks in advance for any clarification you guys can provide on this!



  • @cardinalweb:

    Hopefully someone can clarify, from what I can tell from the forum and other responses is it true that NAT Reflection will NOT work on Virtual IP Addresses that have been assigned through NAT 1:1, BUT it will work on any addresses you setup within NAT port Forwarding?

    that's correct.

    I'm locking this thread though, since it discusses issues about a year and a half ago it's largely no longer relevant to any currently supported versions. If you have further questions please start a new thread.


Log in to reply