Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Outbound NAT - this shouldn't be this hard

    NAT
    3
    6
    197
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wolfsden3 last edited by

      What in the world? My outbound NAT problems are causing me to be in hell today.

      I have this setup on a single WAN with multiple VIP's to different servers on the LAN but today, I have a DUAL WAN setup and one interface having VIP's to LAN servers and I can not for the life of me get outbound NAT working. It's maddening.

      I first go to:

      Firewall > NAT > Outbound. I then enabled "hybrid". I make a rule that says: Interface is OPT (ATT in this case and not WAN - eth0) > Source: My private IP of the server / 32 > NAT address: The public VIP on the ATT (OPT) interface.

      Then I test. NOPE! It is getting the WAN address on eth0 to Charter and NOT the ATT. What in the H - E - double hockey sticks?

      So...then I'm like, OK. Google Google Google...then I go to System > Advanced > Firewall & NAT. I tick: "Enable automatic outbound NAT for Reflection"

      I read the note, needs a manual rule, etc.

      Still no worky. I still get the Charter public IP. I also tried making a 1:1 NAT rule. Nada, server won't even get out the door at this point either. So then I made a LAN rule that forces this thing out of the ATT gateway under the LAN advanced options of my rule telling the private IP to use the ATT gateway.

      Still no worky.

      Seriously, with a single WAN this works. Dual WAN it no work.

      Now the LAN rule I had working (in one of my configs) to make the server use the ATT gateway doesn't work when 1:1 NAT is enabled.

      All I want in life is to get out of jail and have my firewall work lol.

      Dual WAN (Charter WAN & ATT OPT) > NAT one server on one LAN IP from Charter > Server 1 (that works) > NAT one server on one LAN IP from ATT > Server 2.

      This by the way is in a fail over config so Charter is the primary Tier 1 and ATT is set as Tier 3. The fail over works.

      Anyone have any advice? I've been through the documents on this too with respect to policy routing, 1:1: NAT and outbound NAT but I'm not getting anywhere!

      2.5.1-RELEASE (amd64)
      built on Mon Apr 12 07:50:14 EDT 2021
      FreeBSD 12.2-STABLE

      Any help is appreciated! Thanks!

      johnpoz 1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator @wolfsden3 last edited by

        Some known issue with multiple wan

        https://redmine.pfsense.org/issues/11805

        Fix is to go to 2.6 dev versions

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 22.05 | Lab VMs CE 2.6, 2.7

        V W 3 Replies Last reply Reply Quote 0
        • V
          vjizzle @johnpoz last edited by vjizzle

          @johnpoz Please stop telling people that the fix is to run a DEVELOPMENT version in production environment! If anything the fix is downgrade to 2.4.5 p1 till it pleases Netgate to release a proper version where this bug is fixed. That is the decent thing to do.

          johnpoz 1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator @vjizzle last edited by johnpoz

            This is the first person I have mentioned this bug report too.. Just summarized the bug report, its been fixed in 2.6 dev..

            He can do whatever he wants. But it is fixed in 2.6 per the bug report.

            Where did he state this was production btw? For we know this is his lab..

            If this was actual "production" why is he on 2.5.1 without through testing of it, etc. And he should of fell back to his previous install as soon as it wasn't working within his change window.

            When we do an update to any system "in production" validation occurs during the change window, and if does not pass - fall back is required, etc.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 22.05 | Lab VMs CE 2.6, 2.7

            1 Reply Last reply Reply Quote 1
            • W
              wolfsden3 @johnpoz last edited by

              @johnpoz Thanks for that note! That explains a lot.

              So...as broken as PFSense seems to always be these days I guess it's now "enterprise" LOL.

              1 Reply Last reply Reply Quote 0
              • W
                wolfsden3 @johnpoz last edited by wolfsden3

                @johnpoz Thanks again for the post. I upgraded to devel 2.6 and tried it. Traffic on the FW is passing with green check marks, it doesn't seem to be working. In fact, my hybrid NAT with the rule I have in place doesn't work either as in the previous version AND on top of that, I re-enabled the LAN rule I had where it would make that host's IP use the secondary gateway that was working...and it is now NOT working.

                ** Edit: The LAN rule must have taken a minute, it is working now BUT still same problem. It no worky with secondary WAN like it says in the redmine post

                Truly and enterprise product. SMH

                The folks on the redmine post that think it is working in 2.6 devel aren't correct because it's clearly not working.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post