SOLVED: Can only NAT to interface IP. Why?

GruensFroeschli · Aug 5, 2009, 7:38 PM

Your description doesnt make much sense to me ^^".
Can you show sceenshots of your firewall rules and your NAT rules?

pakroby · Aug 5, 2009, 9:08 PM

I have worked on this for so long that it no longer makes sense to me either. Sorry if I didn't quite communicate the problem.
Here are some pictures to do the talking.

First off here is a simple diagram of my network.

My CARP address

NAT Port Forwarding
Note, it is only like this for the screen shot's sake. I do not expect it to work this way.

LAN Rule

WAN Rules

When NAT is set up properly and terminates to the .34 address I can reach a shell from the internet. When it terminates at a PC inside the LAN I cannot reach a shell as I should. There are no iptables or anything else obstructing the SSH server, and I am able to connect to it directly from the LAN.

GruensFroeschli · Aug 5, 2009, 9:21 PM

Your VIP is a CARP type VIP with a subnet of /32.
This will not work. Read the notes on the page where you can configure a CARP VIP.

This is the network's subnet mask. It does not specify a CIDR

pakroby · Aug 5, 2009, 9:27 PM

Actually, I think this still belongs under NAT. Forget I ever mentioned CARP.
The problem is that I can NAT to 192.168.41.34 my interface address, but not 192.168.41.50 a server inside the LAN.
My point with mentioning CARP was that I could make it work with either the WAN interface or a CARP address. So, please disregard my misconfiguration CARP and focus on the NAT issue.

And thanks. I appreciate any help I can get.

Bern · Aug 5, 2009, 9:33 PM

Your NAT rules appear to be forwarding from both .72 and .77 to .34, which is probably why your SSH server isn't receiving the traffic.

Your probably want to forward .72 -> .34 and .77 -> .50 (or the other way round).

pakroby · Aug 5, 2009, 9:35 PM

@Bern:

Your NAT rules appear to be forwarding from both .72 and .77 to .34, which is probably why your SSH server isn't receiving the traffic.

Your probably want to forward .72 -> .34 and .77 -> .50 (or the other way round).

You apparently missed the note about those settings being there for the sake of the screen shot, but thanks for trying.

Bern · Aug 5, 2009, 9:37 PM

OK. how about posting your EXACT configuration, without bogus/misleading configuration?

pakroby · Aug 5, 2009, 9:46 PM

Thanks for the offer, but I just figured out where I messed things up. I had a bad route to my .50 address.

Eugene · Aug 6, 2009, 3:20 AM

You have way too smart network -)
Static route with two interfaces! I can't think of any other static route than default gateway…

pakroby · Aug 6, 2009, 5:47 PM

The picture did not show the entire network. pfSense shares a LAN with a SonicWall that we are trying to replace and the SonicWall has more VPNs to more networks. Trust me, I wouldn't just add static routes for the fun of it.