Firewall blocking all traffic when Outbound NAT rule in place
-
We have a lot of WAN IPs. One of them is assigned to the WAN interface and the others are CARP VIPs. What I want now is that one specific host (172.16.1.92) is 1:1 related to one specific WAN IP (1.2.3.141).
The host needs inbound NAT on ports 80 and 443 as well as outbound NAT for everything.
Everything I have tried leads to pfSense either completely blocking all traffic from or to the host or completely random behavior (always blocking inbound, switching between blocking and not blocking outgoing DNS, switching between blocking and not blocking outgoing ICMP echo requests, blocking all HTTP/S traffic but sometimes allowing some random IPs).There is a Outbound NAT rule that has no effect whatsoever:
Interface: WAN
Address Family: IPv4
Protocol: any
Source: Network 172.16.1.92/32
Destination: any
Translation address: 1.2.3.141 (the CARP entry)Also a 1:1 NAT rule:
Interface: WAN
Address Family: IPv4
External subnet IP: Single Host 1.2.3.141
Internal IP: Single Host 172.16.1.92
Destination: anyIt doesn't matter if only one or both rules are active, the firewall is always using the rule " Default deny rule IPv4 (1000000103) " to completely block all traffic coming from that machine.
-
@felixcda LAN interface has a default allow to any by default. Other interfaces do not. Is this web server on LAN? 1:1 and Outbound NAT donโt allow traffic on an interface.
-
@steveits The webserver is on a different interface (OPT2). There is a firewall rule with protocol IPv4*, Source OPT2 net, Port *, Destination * (copied the default allow all rule to this interface).
Also it has no effect when I enable or disable "Bypass firewall rules for traffic on the same interface".
When all Outbound NAT rules are disabled the webserver has internet access.
-
@felixcda can Diagnostics/Ping go out the .141 address by itself? (Canโt recall without looking but I think it lets you specify the IP, vs the interface)
-
@steveits The WAN IPs go from 130 to 142. Only 130 (CARP) and 142 (WAN interface) can ping out. All others are unable to. The firewall is CARP Master for all WAN IPs. All are configured with the /28 subnet mask and a different vhid number.
-
@felixcda hmm it should work but you might try IP Alias for the additional IPs instead of all CARP?
https://docs.netgate.com/pfsense/en/latest/firewall/virtual-ip-addresses.html#carpOverall if the IP canโt connect out that seems like your issue regardless of NAT.
-
@steveits But there is a second firewall in a HA configuration. Doesn't IPALIAS break the entire WAN network when 2 firewalls have the same IPALIASes on their WAN interfaces? I had that before and when I added the second firewall everything stopped working.
-
Okay so I have turned off the second firewall and now and now Inbound NAT fully works. Outbound NAT sort of works (able to ping and nslookup from webserver but no HTTPS internet access). It looks like the second firewall was CARP BACKUP but also was using the IPs?!
-
@felixcda re: aliases, per that doc page it should work and is useful for reducing heartbeat traffic. It links to https://docs.netgate.com/pfsense/en/latest/highavailability/reduce-heartbeat-traffic.html
-
@steveits I have done that now. Now when I unplug FW1 the FW2 doesn't really take over and nothing works. When I turn FW1 back on I get hundreds of notifications that the CARP status is resumed as BACKUP and to make the network work again I have to power off FW2, restart FW1 and wait 10 minutes and then restart FW2.
-
@felixcda That sounds like the HA setup has its own problems. Scan through the troubleshooting doc and maybe start another thread. You should be able to put the primary in persistent maintenance mode, or shut it off, and the other take over seamlessly. And go the other direction. I do it all the time and it's how updates are done. Your two routers are identical?