VIP traffic routing intermittently

wineguy

Hi,

I've read the manual and many posts, but I can't seem to find anything that quite fits. I have a Netgate SG-3100 running 21.02.2-Release (arm) on FreeBSD 12.2-STABLE.

I have a static ip from my ISP that I (currently) have configured as an "Other" VIP, matched in 1:1NAT to a single ip on my LAN. I have added a rule that passes (and logs) all traffic from any source to this LAN ip. There is no firewall running on the server.

Immediately after setting up the rule mentioned above, I can connect via ssh or http/s from the WAN to the correct server, but after a few minutes to hours, I am no longer able to connect.

When connectivity drops, I see that the packets reach the firewall WAN, because the rule logs the activity, but nothing reaches the server.

If I turn on Packet Capture on the LAN searching for port 22 to/from the correct ip, the capture shows my ssh attempts. However tcpdump running on the LAN does not show any traffic from the firewall to the server and nothing reaches the server.

If I attempt to connect from anywhere on the LAN to the server ip via ssh/http/s I am successful and tcpdump shows the traffic.

If I modify the firewall rule created above (allowing all traffic from any source to the ip), traffic will again begin to flow allowing connectivity AND tcpdump will capture the LAN traffic between firewall and server, but within a few minutes/hours connectivity will be lost.

The most confusing aspect of this (to me) is that when connectivity is lost the firewall continues capturing packets on the LAN side that no other device on the LAN (including the relevant server) can see.

Can anyone suggest what I might try differently to get 1:1 NAT from a VIP to work consistently?

Color me flummoxed.

Thanks for your assistance.

Lamia

@wineguy This problem with VIP seems to be common.

I just reported a similar case here - https://forum.netgate.com/topic/163533/virtual-ip-consistently-loses-connection.