Firewall blocking all traffic when Outbound NAT rule in place
-
@felixcda LAN interface has a default allow to any by default. Other interfaces do not. Is this web server on LAN? 1:1 and Outbound NAT donโt allow traffic on an interface.
-
@steveits The webserver is on a different interface (OPT2). There is a firewall rule with protocol IPv4*, Source OPT2 net, Port *, Destination * (copied the default allow all rule to this interface).
Also it has no effect when I enable or disable "Bypass firewall rules for traffic on the same interface".
When all Outbound NAT rules are disabled the webserver has internet access.
-
@felixcda can Diagnostics/Ping go out the .141 address by itself? (Canโt recall without looking but I think it lets you specify the IP, vs the interface)
-
@steveits The WAN IPs go from 130 to 142. Only 130 (CARP) and 142 (WAN interface) can ping out. All others are unable to. The firewall is CARP Master for all WAN IPs. All are configured with the /28 subnet mask and a different vhid number.
-
@felixcda hmm it should work but you might try IP Alias for the additional IPs instead of all CARP?
https://docs.netgate.com/pfsense/en/latest/firewall/virtual-ip-addresses.html#carpOverall if the IP canโt connect out that seems like your issue regardless of NAT.
-
@steveits But there is a second firewall in a HA configuration. Doesn't IPALIAS break the entire WAN network when 2 firewalls have the same IPALIASes on their WAN interfaces? I had that before and when I added the second firewall everything stopped working.
-
Okay so I have turned off the second firewall and now and now Inbound NAT fully works. Outbound NAT sort of works (able to ping and nslookup from webserver but no HTTPS internet access). It looks like the second firewall was CARP BACKUP but also was using the IPs?!
-
@felixcda re: aliases, per that doc page it should work and is useful for reducing heartbeat traffic. It links to https://docs.netgate.com/pfsense/en/latest/highavailability/reduce-heartbeat-traffic.html
-
@steveits I have done that now. Now when I unplug FW1 the FW2 doesn't really take over and nothing works. When I turn FW1 back on I get hundreds of notifications that the CARP status is resumed as BACKUP and to make the network work again I have to power off FW2, restart FW1 and wait 10 minutes and then restart FW2.
-
@felixcda That sounds like the HA setup has its own problems. Scan through the troubleshooting doc and maybe start another thread. You should be able to put the primary in persistent maintenance mode, or shut it off, and the other take over seamlessly. And go the other direction. I do it all the time and it's how updates are done. Your two routers are identical?