NAT broken for a single rule
-
I'm having a hard time getting to my email server from outside. There's full connectivity from point to point but traffic doesn't even appear in the logs.
This is the topology:
(Sorry for the ugly map, I only have Visio and Illustrator via RDS and I suck at both.)From my current workstation I can SSH into the public gateway, about 4 routers out through the tunnel and ping back to the edge. I can SSH to the gateway via the public network (using cellular or another tunnel) and ping the edge.
I can access locally hosted websites, all need to pass through HAProxy just as the MX traffic without issues.
I can telnet (:25) the mail server, the relay servers and the public interface of the proxy server all successfully but not the edge firewall. I am positive the problem is at that point but I without logs I'm sort of lost.
I took packet captures and on both sides: I see packets bound for TCP25 arrive but they don't exit further into the network. Besides the remote gateway, this router is the only point where NAT is running, everything inside is routed.
NAT:
Inbound firewall (interface rules):
Outbound NAT:
As proof things should work are these screenshots, hosted in these servers following the same path up to almost to the last link.
The only thing I could think of was Suricata but I ruled it out uninstalling it.
Any ideas what's going on? I have no email--well, inbound email. :(
-
After reordering the rules I got this:
I edited the NAT rule to change the destination for a random entry from the list, saved, applied and came to the interface rules to verify the rule was indeed linked and yeah--it changed to the random value. Then I changed it back to what's supposed to be the correct thing and WAN_HE address chose itself again!
It was playing hide-n-seek. I duplicated one of the other rules, changed the port, saved, applied, SSHed, telnet in and... it tells me to hit it straight away. But, that's good news, it didn't even respond before! :D
I was just some random bug. :)
-
After the update to 2.5.1 all broke down again. Now no NAT port mapping work, firewall rules work correctly but the actual mapping of the ports doesn't.
I'm going to have to suck it up and deal with Mikrotik's CHR's rule system because from experience I know if I downgrade I won't be able to reinstall the old extra packages again. Maybe I could switch places with the proxy still on 2.5.0. IDK. I'm tired. :(
Good luck to everyone else, it seems I'm not alone from today's new posts.
-
@skilledinept I don't know if you've read this, but: https://redmine.pfsense.org/issues/11805
Switching default route worked for my NAT's, that stopped working with 2.5.1. But yeah, that 2.5.1 made a huge mess.
-
Have you tried to remove the GW's on the rules and let the FW handle them by itself?