Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Outbound NAT: TCP working fine, UDP not at all

    NAT
    2
    5
    956
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      Rhicinus
      last edited by

      Hi,
      we are on a pfsense cluster, using the captive portal feature, but I think our problem is NAT-related. Everything works fine until it comes to the UDP protocol from the clients in direction Internet. Be it IKE/ISAKMP, NTP, QUIC, or any other UDP traffic. I use manual Outbound Nat Rules.

      With some packet capture I could narrow it down a little.
      The initial UDP packet from the client passes the pfsense from Inside to Internet and gets NATed correctly. The reply packets from the - say IKE gateway arrive on the public IP of the pfsense WAN interface. The reply packet is then NOT forwarded to the client on the Inside.

      This is since we moved the Captive Portal from a 2.4.4 cluster to a new 2.6.0 cluster.

      I tried dedicated UDP Outbound NAT rules, I tried NAT to the CARP IP, then NAT to the WAN interface IP, always the same result. TCP works, UDP not. Double and triple checked all settings with the settings on the working 2.4.4 cluster, its the same.

      Did I miss something or is this a bug?

      best regards
      Rainer

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @Rhicinus
        last edited by johnpoz

        @rhicinus said in Outbound NAT: TCP working fine, UDP not at all:

        Did I miss something or is this a bug?

        I do recall some udp issue with captive portal.. I think there is a patch - brb.

        back: there is this

        https://redmine.pfsense.org/issues/12834

        And there is a patch you can apply in the patch manager

        patches.jpg

        None of them apply to my needs which is why I don't have any of them applied.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        R 1 Reply Last reply Reply Quote 1
        • R
          Rhicinus @johnpoz
          last edited by

          Thank you,

          I now just need to figure out how to get and apply the patch in the community version of pfsense (no Plus here)

          best regards

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @Rhicinus
            last edited by johnpoz

            @rhicinus you can use the patch manager in CE, it just doesn't auto fill patches and you have to add them... The info need should be in the redmine

            I do see a commit id listed in the redmine

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 1
            • R
              Rhicinus
              last edited by

              Hi,

              to complete the topic: the patch worked for me and solved the issue.

              Thank you

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.