Outbound NAT - this shouldn't be this hard
-
What in the world? My outbound NAT problems are causing me to be in hell today.
I have this setup on a single WAN with multiple VIP's to different servers on the LAN but today, I have a DUAL WAN setup and one interface having VIP's to LAN servers and I can not for the life of me get outbound NAT working. It's maddening.
I first go to:
Firewall > NAT > Outbound. I then enabled "hybrid". I make a rule that says: Interface is OPT (ATT in this case and not WAN - eth0) > Source: My private IP of the server / 32 > NAT address: The public VIP on the ATT (OPT) interface.
Then I test. NOPE! It is getting the WAN address on eth0 to Charter and NOT the ATT. What in the H - E - double hockey sticks?
So...then I'm like, OK. Google Google Google...then I go to System > Advanced > Firewall & NAT. I tick: "Enable automatic outbound NAT for Reflection"
I read the note, needs a manual rule, etc.
Still no worky. I still get the Charter public IP. I also tried making a 1:1 NAT rule. Nada, server won't even get out the door at this point either. So then I made a LAN rule that forces this thing out of the ATT gateway under the LAN advanced options of my rule telling the private IP to use the ATT gateway.
Still no worky.
Seriously, with a single WAN this works. Dual WAN it no work.
Now the LAN rule I had working (in one of my configs) to make the server use the ATT gateway doesn't work when 1:1 NAT is enabled.
All I want in life is to get out of jail and have my firewall work lol.
Dual WAN (Charter WAN & ATT OPT) > NAT one server on one LAN IP from Charter > Server 1 (that works) > NAT one server on one LAN IP from ATT > Server 2.
This by the way is in a fail over config so Charter is the primary Tier 1 and ATT is set as Tier 3. The fail over works.
Anyone have any advice? I've been through the documents on this too with respect to policy routing, 1:1: NAT and outbound NAT but I'm not getting anywhere!
2.5.1-RELEASE (amd64)
built on Mon Apr 12 07:50:14 EDT 2021
FreeBSD 12.2-STABLEAny help is appreciated! Thanks!
-
Some known issue with multiple wan
https://redmine.pfsense.org/issues/11805
Fix is to go to 2.6 dev versions
-
@johnpoz Please stop telling people that the fix is to run a DEVELOPMENT version in production environment! If anything the fix is downgrade to 2.4.5 p1 till it pleases Netgate to release a proper version where this bug is fixed. That is the decent thing to do.
pFsense 2.5.2 CE
-
This is the first person I have mentioned this bug report too.. Just summarized the bug report, its been fixed in 2.6 dev..
He can do whatever he wants. But it is fixed in 2.6 per the bug report.
Where did he state this was production btw? For we know this is his lab..
If this was actual "production" why is he on 2.5.1 without through testing of it, etc. And he should of fell back to his previous install as soon as it wasn't working within his change window.
When we do an update to any system "in production" validation occurs during the change window, and if does not pass - fall back is required, etc.
-
@johnpoz Thanks for that note! That explains a lot.
So...as broken as PFSense seems to always be these days I guess it's now "enterprise" LOL.
-
@johnpoz Thanks again for the post. I upgraded to devel 2.6 and tried it. Traffic on the FW is passing with green check marks, it doesn't seem to be working. In fact, my hybrid NAT with the rule I have in place doesn't work either as in the previous version AND on top of that, I re-enabled the LAN rule I had where it would make that host's IP use the secondary gateway that was working...and it is now NOT working.
** Edit: The LAN rule must have taken a minute, it is working now BUT still same problem. It no worky with secondary WAN like it says in the redmine post
Truly and enterprise product. SMH
The folks on the redmine post that think it is working in 2.6 devel aren't correct because it's clearly not working.
