Nat reflection problem



  • Hi.

    I just installed the 2.0. Fresh install, to make sure there was no upgrade problems.

    However when i uncheck the "Disable NAT Reflection" box, the box stops nat'ing anything at all.

    I have a simple setup. 1 wan, 1 lan interface. the wan has a public internet ip, no firewalls between isp and wan.

    I have a webserver on my lan, which works fine from the outside. On pfsense-1.2.3-RC1 i had the exact same ports forwarded, and with the "Disable NAT Reflection" unchecked, i could reach my webserver just fine from both outside and inside.

    With 2.0 and this "Disable NAT Reflection" unchecked, nat just stops working. noone can reach anything on the outside, and the webserver is still not reachable from the inside through it's domain.

    (I have it working with the dns forwarder trick mentioned in the FAQ. It's just a privat webserver and a home network. So it's not a big problem.)

    Is there anything different one has to remember to make this work in 2.0 ? :)

    Thanks in advance for any help.

    • technot


  • Can you post your config and rules.debug content.



  • these are the requested files with my working setup (dns split instead of nat reflection) (password's and hashes has been removed)

    config.xml:

    
     <pfsense><version>5.9</version>
    	<lastchange></lastchange>
    	<theme>pfsense_ng</theme>
    	 <sysctl><desc>Set the ephemeral port range to be lower.</desc>
    			<tunable>net.inet.ip.portrange.first</tunable>
    			<value>1024</value> 
    		 <desc>Drop packets to closed TCP ports without returning a RST</desc>
    			<tunable>net.inet.tcp.blackhole</tunable>
    			<value>2</value> 
    		 <desc>Do not send ICMP port unreachable messages for closed UDP ports</desc>
    			<tunable>net.inet.udp.blackhole</tunable>
    			<value>1</value> 
    		 <desc>Randomize the ID field in IP packets (default is 0: sequential IP IDs)</desc>
    			<tunable>net.inet.ip.random_id</tunable>
    			<value>1</value> 
    		 <desc>Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)</desc>
    			<tunable>net.inet.tcp.drop_synfin</tunable>
    			<value>1</value> 
    		 <desc>Enable sending IPv4 redirects</desc>
    			<tunable>net.inet.ip.redirect</tunable>
    			<value>1</value> 
    		 <desc>Enable sending IPv6 redirects</desc>
    			<tunable>net.inet6.ip6.redirect</tunable>
    			<value>1</value> 
    		 <desc>Generate SYN cookies for outbound SYN-ACK packets</desc>
    			<tunable>net.inet.tcp.syncookies</tunable>
    			<value>1</value> 
    		 <desc>Maximum incoming/outgoing TCP datagram size (receive)</desc>
    			<tunable>net.inet.tcp.recvspace</tunable>
    			<value>65228</value> 
    		 <desc>Maximum incoming/outgoing TCP datagram size (send)</desc>
    			<tunable>net.inet.tcp.sendspace</tunable>
    			<value>65228</value> 
    		 <desc>IP Fastforwarding</desc>
    			<tunable>net.inet.ip.fastforwarding</tunable>
    			<value>1</value> 
    		 <desc>Do not delay ACK to try and piggyback it onto a data packet</desc>
    			<tunable>net.inet.tcp.delayed_ack</tunable>
    			<value>0</value> 
    		 <desc>Maximum outgoing UDP datagram size</desc>
    			<tunable>net.inet.udp.maxdgram</tunable>
    			<value>57344</value> 
    		 <desc>Handling of non-IP packets which are not passed to pfil (see if_bridge(4))</desc>
    			<tunable>net.link.bridge.pfil_onlyip</tunable>
    			<value>0</value> 
    		 <desc>Set to 0 to disable filtering on the incoming and outgoing member interfaces.</desc>
    			<tunable>net.link.bridge.pfil_member</tunable>
    			<value>1</value> 
    		 <desc>Set to 1 to enable filtering on the bridge interface</desc>
    			<tunable>net.link.bridge.pfil_bridge</tunable>
    			<value>0</value> 
    		 <desc>Allow unprivileged access to tap(4) device nodes</desc>
    			<tunable>net.link.tap.user_open</tunable>
    			<value>1</value> 
    		 <desc>Verbosity of the rndtest driver (0: do not display results on console)</desc>
    			<tunable>kern.rndtest.verbose</tunable>
    			<value>0</value> 
    		 <desc>Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</desc>
    			<tunable>kern.randompid</tunable>
    			<value>347</value> 
    		 <desc>Maximum size of the IP input queue</desc>
    			<tunable>net.inet.ip.intr_queue_maxlen</tunable>
    			<value>1000</value> 
    		 <desc>Disable CTRL+ALT+Delete reboot from keyboard.</desc>
    			<tunable>hw.syscons.kbd_reboot</tunable>
    			<value>0</value> 
    		 <desc>Enable TCP Inflight mode</desc>
    			<tunable>net.inet.tcp.inflight.enable</tunable>
    			<value>1</value> 
    		 <desc>Enable TCP extended debugging</desc>
    			<tunable>net.inet.tcp.log_debug</tunable>
    			<value>0</value> 
    		 <desc>Set ICMP Limits</desc>
    			<tunable>net.inet.icmp.icmplim</tunable>
    			<value>750</value> 
    		 <desc>TCP Offload Engine</desc>
    			<tunable>net.inet.tcp.tso</tunable>
    			<value>0</value> 
    		 <desc>TCP Offload Engine - BCE</desc>
    			<tunable>hw.bce.tso_enable</tunable>
    			<value>0</value></sysctl> 
    	 <system><optimization>normal</optimization>
    		<hostname>pfSense</hostname>
    		<domain>local</domain>
    		 <dnsallowoverride><group><name>all</name>
    			<description>All Users</description>
    			<scope>system</scope>
    			<gid>1998</gid>
    			<member>0</member></group> 
    		 <group><name>admins</name>
    			<description>System Administrators</description>
    			<scope>system</scope>
    			<gid>1999</gid>
    			<member>0</member>
    			<priv>page-all</priv></group> 
    		 <user><name>admin</name>
    			<fullname>System Administrator</fullname>
    			<scope>system</scope>
    			<groupname>admins</groupname>
    			<password>removed</password>
    			<uid>0</uid>
    			<priv>user-shell-access</priv>
    			<md5-hash>removed</md5-hash>
    			<nt-hash>removed</nt-hash></user> 
    		<nextuid>2000</nextuid>
    		<nextgid>2000</nextgid>
    		<timezone>Etc/UTC</timezone>
    		<time-update-interval>300</time-update-interval>
    		<timeservers>0.pfsense.pool.ntp.org</timeservers>
    		 <webgui><protocol>https</protocol>
    
    			<ssl-certref>4a85b1a18d669</ssl-certref></webgui> 
    		 <dnsserver><ca><refid>4a85b1470f4b3</refid>
    			<name>internalCA</name>
    			<crt>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURiakNDQXRlZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRVUZBRENCaHpFTE1Ba0dBMVVFQmhNQ2JtOHgKRVRBUEJnTlZCQWdUQ0hKdloyRnNZVzVrTVJBd0RnWURWUVFIRXdkellXNWtibVZ6TVJNd0VRWURWUVFLRXdwMApkMmx6ZEhCdmFXNTBNU2d3SmdZSktvWklodmNOQVFrQkZobDBiM0pwYm1kbGEyeHZkVzFoYm01QVoyMWhhV3d1ClkyOXRNUlF3RWdZRFZRUURFd3RwYm5SbGNtNWhiQzFqWVRBZUZ3MHdPVEE0TVRReE9EUTNNelZhRncwek5qRXkKTWpreE9EUTNNelZhTUlHSE1Rc3dDUVlEVlFRR0V3SnViekVSTUE4R0ExVUVDQk1JY205bllXeGhibVF4RURBTwpCZ05WQkFjVEIzTmhibVJ1WlhNeEV6QVJCZ05WQkFvVENuUjNhWE4wY0c5cGJuUXhLREFtQmdrcWhraUc5dzBCCkNRRVdHWFJ2Y21sdVoyVnJiRzkxYldGdWJrQm5iV0ZwYkM1amIyMHhGREFTQmdOVkJBTVRDMmx1ZEdWeWJtRnMKTFdOaE1JR2ZNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R05BRENCaVFLQmdRRGdvUWNXOFAyU0dGNTZ0QWxRaU54MQpBL2x5T3Z4UmJWYXljNnV1bUJZd3ZNczVQUzN2dW9lYk8wZjNZYktGaTdYSk5EZ1lKSlFPZGJGMkdncVA5c2hJClhNOExQVzRJMkwzWlY2UkhoSFU4ZEVUY2h3UUZ0Q21PdWlGUmY5c2lJZWM0czdNckFtUnUvbE9OMFN5cWNUN3EKSGZSOWJ5d1RsRDVXc3pWSzlxdkZ4d0lEQVFBQm80SG5NSUhrTUIwR0ExVWREZ1FXQkJTWUFHMGp1N0dSTTZhRgpEVEFqRE1MdDNqZldSVENCdEFZRFZSMGpCSUdzTUlHcGdCU1lBRzBqdTdHUk02YUZEVEFqRE1MdDNqZldSYUdCCmphU0JpakNCaHpFTE1Ba0dBMVVFQmhNQ2JtOHhFVEFQQmdOVkJBZ1RDSEp2WjJGc1lXNWtNUkF3RGdZRFZRUUgKRXdkellXNWtibVZ6TVJNd0VRWURWUVFLRXdwMGQybHpkSEJ2YVc1ME1TZ3dKZ1lKS29aSWh2Y05BUWtCRmhsMApiM0pwYm1kbGEyeHZkVzFoYm01QVoyMWhhV3d1WTI5dE1SUXdFZ1lEVlFRREV3dHBiblJsY201aGJDMWpZWUlCCkFEQU1CZ05WSFJNRUJUQURBUUgvTUEwR0NTcUdTSWIzRFFFQkJRVUFBNEdCQUFnbXRzSGoxOHgxQ2VPMGsvQXEKS1dzdHh6eFhCek9NcU1ma004dzdxelhTRXdVWGFKbGJuRzBkZTRDZnVYcWZvcW0xU2NkMG1CQjk2U2JldjAyRwpRV3hZbjFYbSsxWnRlbUl2UG9KcnRIMVZjQnppdExXQjEyMWZlcDBlSVgxOXIyMWZRWVhzYUtQSE5lc2k5R3FtCnlESmZlMnZhSFB4RVptQlJUbi9UbTlRLwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==</crt>
    			<prv>LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlDV3dJQkFBS0JnUURnb1FjVzhQMlNHRjU2dEFsUWlOeDFBL2x5T3Z4UmJWYXljNnV1bUJZd3ZNczVQUzN2CnVvZWJPMGYzWWJLRmk3WEpORGdZSkpRT2RiRjJHZ3FQOXNoSVhNOExQVzRJMkwzWlY2UkhoSFU4ZEVUY2h3UUYKdENtT3VpRlJmOXNpSWVjNHM3TXJBbVJ1L2xPTjBTeXFjVDdxSGZSOWJ5d1RsRDVXc3pWSzlxdkZ4d0lEQVFBQgpBb0dBUkxpL0JJUEI3L3BJblYyTEkvcGJCK21wWFFzeXVtNnJBWGxsNHNwZ3I1UnkwQllwZ1pnZGVKNVFUQnkxCmt5bkUrY05pRGZEUzR3R2F3emtBVmo3MzBxamxuN0krdHpVUjVtN1QwR2p1elRoVCtvZzZZNEsyUkVkVi9YNEkKQWhGLzhIS1FHejJoc3hiT1RnaC95RFYwWTV3TU5nRkE2RFI3S2owTERmcGJzakVDUVFEeUpuaDNzZEdtaU5RTApUK2gvUEk4MGJOR3B6cXVqMlNUemFtNG40aEdtMTdTM3JQKzNJSjMyZ0s1WlNkM1VGbHZCcFVFMWgxT2FOeWpjCkFPR1lESHd0QWtFQTdYb0RhZ0VLNU1Sd0tGOGJLVW5jVXRwaGV1aHdzME5naVlhOTZFaThaWHVDTjAvZWRZUG4KTUlLMFJzRzRqVjZUdDdTcUNaa3dYbjdPaVh0UC9vSWVRd0pBSUFidWtBWTQwR253Z2I2RDViQkEwSkpEK00yWQo3Z2JlV0VPUFpqOEVUcWpoQWhvamlEa01LM3BCbFJXci9VMG52YWo1d3ZhdkhBcUhvUEdNNU90aDBRSkFjYkJiCkdCR2R0SDJ5c0RFdjRLbGltQ3ZDUlVRb1NEbjJhb0NlUkNrbVFITkxtTTFjMCtlczg1VnZWdnlCTFBUZFJUSngKd1J5Y2duQzAwaTY5MGp0YTN3SkFiV0JoYjdnYUtqOTlzRC9MYmNraHh0QVQwM1BWWkx4VEtlamZKMFhMamxxeAozV29KczVSWHFBN1dtM1ZGQ2YrWWV6eThTSlNXa1hMWG0rK1RsWkdQc2c9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=</prv>
    			<serial>1</serial></ca> 
    		 <cert><refid>4a85b1a18d669</refid>
    			<name>internalSSL</name>
    			<caref>4a85b1470f4b3</caref>
    			<crt>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURiVENDQXRhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRVUZBRENCaHpFTE1Ba0dBMVVFQmhNQ2JtOHgKRVRBUEJnTlZCQWdUQ0hKdloyRnNZVzVrTVJBd0RnWURWUVFIRXdkellXNWtibVZ6TVJNd0VRWURWUVFLRXdwMApkMmx6ZEhCdmFXNTBNU2d3SmdZSktvWklodmNOQVFrQkZobDBiM0pwYm1kbGEyeHZkVzFoYm01QVoyMWhhV3d1ClkyOXRNUlF3RWdZRFZRUURFd3RwYm5SbGNtNWhiQzFqWVRBZUZ3MHdPVEE0TVRReE9EUTVNRFphRncwek5qRXkKTWpreE9EUTVNRFphTUlHR01Rc3dDUVlEVlFRR0V3SnViekVSTUE4R0ExVUVDQk1JY205bllXeGhibVF4RURBTwpCZ05WQkFjVEIzTmhibVJ1WlhNeEV6QVJCZ05WQkFvVENuUjNhWE4wY0c5cGJuUXhLREFtQmdrcWhraUc5dzBCCkNRRVdHWFJ2Y21sdVoyVnJiRzkxYldGdWJrQm5iV0ZwYkM1amIyMHhFekFSQmdOVkJBTVRDblIzYVhOMGNHOXAKYm5Rd2daOHdEUVlKS29aSWh2Y05BUUVCQlFBRGdZMEFNSUdKQW9HQkFQQVpCY0lMUUJBTEk1SzlKWVZBeWh4Rwp5SC9qSmMwZ0hZeTdYZ3FWSjFjSVNPcFRsczNSemljUGkzTXpRQVpoY1lDUHdnYllnWTYrNlhndVRKOUgwNi9zCm54bzd5ZHJiVGRKUldvb1JCYklIeTUyVWdJUG9uNUhRSTJhU0tnNS9VN2VuRHcwS3NGYjRzc05idHNlZ2t2ZmQKOW9uU3dSRzlEUXN0QzVzUXVMekxBZ01CQUFHamdlY3dnZVF3SFFZRFZSME9CQllFRk01eFVwWVArM2FpbDVjMQp0TGdVejVtL1NrVTlNSUcwQmdOVkhTTUVnYXd3Z2FtQUZKZ0FiU083c1pFenBvVU5NQ01Nd3UzZU45WkZvWUdOCnBJR0tNSUdITVFzd0NRWURWUVFHRXdKdWJ6RVJNQThHQTFVRUNCTUljbTluWVd4aGJtUXhFREFPQmdOVkJBY1QKQjNOaGJtUnVaWE14RXpBUkJnTlZCQW9UQ25SM2FYTjBjRzlwYm5ReEtEQW1CZ2txaGtpRzl3MEJDUUVXR1hSdgpjbWx1WjJWcmJHOTFiV0Z1YmtCbmJXRnBiQzVqYjIweEZEQVNCZ05WQkFNVEMybHVkR1Z5Ym1Gc0xXTmhnZ0VBCk1Bd0dBMVVkRXdRRk1BTUJBZjh3RFFZSktvWklodmNOQVFFRkJRQURnWUVBQmJmNlplUzFhUXNNZSsveVpSMjUKTXArUXJtUDY3TnV5T2g1NDJpR1dGY2VyT29IZnNaVUNBYXo0SFU3ZGNpd3hpbWk3WUVOZXhIbituREZKVnJvZApPZTVudmdWdGM4WUxJR0Q4NHNINTZrdnZ0RDNCb0dYekVueExWUGl0ZERoWnU1ZWJhK0J6alJrT1ZiTnFXZGhrCjA1WHFaVk85T09lZDkyNW1FUmNCekFjPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==</crt>
    			<prv>LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlDWGdJQkFBS0JnUUR3R1FYQ0MwQVFDeU9TdlNXRlFNb2NSc2gvNHlYTklCMk11MTRLbFNkWENFanFVNWJOCjBjNG5ENHR6TTBBR1lYR0FqOElHMklHT3Z1bDRMa3lmUjlPdjdKOGFPOG5hMjAzU1VWcUtFUVd5Qjh1ZGxJQ0QKNkorUjBDTm1raW9PZjFPM3B3OE5DckJXK0xMRFc3YkhvSkwzM2ZhSjBzRVJ2UTBMTFF1YkVMaTh5d0lEQVFBQgpBb0dCQUthSHRJYXladXk1elNLcUxxd09GQ0VvdDBoOHRHdGlLeHpCbUtpZWEzcmlORERUYVhXNFg5U1g0NUV6CnF1VENFWWVxTGxteE1hdGduMjdNTGprTUNMWlV3aHc1NXY4S2FmZkhpSTFpdlBONUJDV2hyK0F0R2dUZDgvT0MKdmlTM2paemVoaUdmZUdNSkNUc2xCV0hWRGF6WmRpRHpSSUxralExOXJYK0wwQzhCQWtFQS85aFg3TkRnQk9HOQpwSncrVzVwY3VxZm5sbWpFQXNGSEUrVXZkSWF4eldERVF6UVF6MnVRREFHQkg0VUpkVndzNElvRVhYMnlrcSt5CmtHdUg5S2UydVFKQkFQQStQUGd0NmVPZUZEYzlPMVhZYTUxaVFSYVNTWm9IZGZGYmxTYm8rWFB3Mm5PYmpESEEKTm1HczBlRUFPLzRTZDk1LzdSN29hcjBRQldGenFwN29EYU1DUUhocDNYQVRHdXlSUm8xOEVBbFRESU81Vk5GQQp1OGhFS1d6ZXVFZ1N3UXBWbWVtN1RwSWhJT25WcDIwclV6bE9TYnpnbUk5Y0FyanhRb3lnWDV1eGQ5a0NRUURtCmhuSXVtckFCeitBS0dXRmtRR1VUQWdMK3k2U0Fmb1EzOHU4dUJRUElzdWFMWkVpa1BKSnlLMGpCSkY1c3NBQUIKcXJNM28wRTQ1YlNrREQ4K2QrRU5Ba0VBMGhVWHRERUpWaG9oK2ZRRGJNd0lIREJzK2hBSEREZVdlWDRiS2hEOAp2STVWZ1pZcWwxZGFYcHpYVXpZM0FaTFJ3RHE0SHZ6ZDVhYjhRTWlocHhtZ0h3PT0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K</prv></cert> 
    		<enablesshd>enabled</enablesshd>
    		<scrubrnid>enabled</scrubrnid>
    		 <maximumstates><reflectiontimeout><firmware><alturl><enable><firmwareurl>http://snapshots.pfsense.org/FreeBSD_RELENG_7_2/pfSense_HEAD/.updaters</firmwareurl></enable></alturl></firmware> 
    		<disablenatreflection>yes</disablenatreflection></reflectiontimeout></maximumstates></dnsserver></dnsallowoverride></system> 
    	 <interfaces><lan><if>xl1</if>
    			<ipaddr>192.168.1.1</ipaddr>
    			<subnet>24</subnet>
    			<media></media>
    			<mediaopt></mediaopt>
    			<bandwidth>100</bandwidth>
    			<bandwidthtype>Mb</bandwidthtype></lan> 
    		 <wan><if>rl0</if>
    			 <mtu><ipaddr>dhcp</ipaddr>
    			 <subnet><gateway><dhcphostname><media></media>
    			<mediaopt></mediaopt>
    			<bandwidth>100</bandwidth>
    			<bandwidthtype>Mb</bandwidthtype>
    			 <spoofmac></spoofmac></dhcphostname></gateway></subnet></mtu></wan></interfaces> 
    	<staticroutes></staticroutes>
    	 <pppoe><username><password></password></username></pppoe> 
    	 <pptp><username><password><local></local></password></username></pptp> 
    	 <dhcpd><lan><enable><range><from>192.168.1.10</from>
    				<to>192.168.1.245</to></range></enable></lan></dhcpd> 
    	 <pptpd><localip></localip></pptpd> 
    
    	 <dnsmasq><enable><hosts><host>www</host>
    			<domain>deppa.com</domain>
    			<ip>192.168.1.113</ip>
    			<descr>deppa</descr></hosts> 
    		 <regdhcp><regdhcpstatic></regdhcpstatic></regdhcp></enable></dnsmasq> 
    	 <snmpd><syslocation></syslocation>
    		<syscontact></syscontact>
    		<rocommunity>public</rocommunity></snmpd> 
    	 <diag><ipv6nat><ipaddr></ipaddr></ipv6nat></diag> 
    
    	 <nat><ipsecpassthru><enable></enable></ipsecpassthru> 
    		 <rule><protocol>tcp</protocol>
    			<external-port>6667</external-port>
    			<target>192.168.1.113</target>
    			<local-port>6667</local-port>
    			<interface>wan</interface>
    			<descr>deppa-irc</descr></rule> 
    		 <rule><protocol>tcp</protocol>
    			<external-port>25</external-port>
    			<target>192.168.1.113</target>
    			<local-port>25</local-port>
    			<interface>wan</interface>
    			<descr>deppa-smtp</descr></rule> 
    		 <rule><protocol>tcp</protocol>
    			<external-port>110</external-port>
    			<target>192.168.1.113</target>
    			<local-port>110</local-port>
    			<interface>wan</interface>
    			<descr>deppa-pop3</descr></rule> 
    		 <rule><protocol>tcp/udp</protocol>
    			<external-port>56035</external-port>
    			<target>192.168.1.119</target>
    			<local-port>56035</local-port>
    			<interface>wan</interface>
    			<descr>terje-torrent</descr></rule> 
    		 <rule><protocol>tcp</protocol>
    			<external-port>80</external-port>
    			<target>192.168.1.113</target>
    			<local-port>80</local-port>
    			<interface>wan</interface>
    			<descr>deppa-www</descr></rule> 
    		 <rule><protocol>tcp/udp</protocol>
    			<external-port>53</external-port>
    			<target>192.168.1.113</target>
    			<local-port>53</local-port>
    			<interface>wan</interface>
    			<descr>deppa-dns</descr></rule> 
    		 <rule><protocol>tcp/udp</protocol>
    			<external-port>3306</external-port>
    			<target>192.168.1.141</target>
    			<local-port>3306</local-port>
    			<interface>wan</interface>
    			<descr>technot-mysql</descr></rule> 
    		 <rule><protocol>tcp/udp</protocol>
    			<external-port>16881-16891</external-port>
    			<target>192.168.1.141</target>
    			<local-port>16881</local-port>
    			<interface>wan</interface>
    			<descr>technot-utorrent</descr></rule></nat> 
    	 <filter><rule><interface>wan</interface>
    			<protocol>tcp</protocol>
    			<source>
    				 <any><destination><address>192.168.1.113</address>
    
    				<port>6667</port></destination> 
    			<descr>NAT deppa-irc</descr></any></rule> 
    		 <rule><interface>wan</interface>
    			<protocol>tcp</protocol>
    			<source>
    				 <any><destination><address>192.168.1.113</address>
    
    				<port>80</port></destination> 
    			<descr>NAT deppa-web</descr></any></rule> 
    		 <rule><interface>wan</interface>
    			<protocol>tcp</protocol>
    			<source>
    				 <any><destination><address>192.168.1.113</address>
    
    				<port>25</port></destination> 
    			<descr>NAT deppa-smtp</descr></any></rule> 
    		 <rule><interface>wan</interface>
    			<protocol>tcp</protocol>
    			<source>
    				 <any><destination><address>192.168.1.113</address>
    
    				<port>110</port></destination> 
    			<descr>NAT deppa-pop3</descr></any></rule> 
    		 <rule><interface>wan</interface>
    			<protocol>tcp</protocol>
    			<source>
    				 <any><destination><address>192.168.1.113</address>
    
    				<port>22</port></destination> 
    			<descr>NAT deppa-ssh</descr></any></rule> 
    		 <rule><interface>wan</interface>
    			<protocol>tcp/udp</protocol>
    			<source>
    				 <any><destination><address>192.168.1.119</address>
    
    				<port>56035</port></destination> 
    			<descr>NAT terje-torrent</descr></any></rule> 
    		 <rule><type>pass</type>
    			<descr>Default allow LAN to any rule</descr>
    			<interface>lan</interface>
    			<source>
    				<network>lan</network>
    
    			 <destination><any></any></destination></rule> 
    		 <rule><interface>wan</interface>
    			<protocol>tcp</protocol>
    			<source>
    				 <any><destination><address>192.168.1.113</address>
    
    				<port>80</port></destination> 
    			<descr>NAT deppa-www</descr></any></rule> 
    		 <rule><interface>wan</interface>
    			<protocol>tcp/udp</protocol>
    			<source>
    				 <any><destination><address>192.168.1.113</address>
    
    				<port>53</port></destination> 
    			<descr>NAT deppa-dns</descr></any></rule> 
    		 <rule><interface>wan</interface>
    			<protocol>tcp/udp</protocol>
    			<source>
    				 <any><destination><address>192.168.1.141</address>
    
    				<port>3306</port></destination> 
    			<descr>NAT technot-mysql</descr></any></rule> 
    		 <rule><interface>wan</interface>
    			<protocol>tcp/udp</protocol>
    			<source>
    				 <any><destination><address>192.168.1.141</address>
    
    				<port>16881-16891</port></destination> 
    			<descr>NAT technot-utorrent</descr></any></rule> 
    		<bypassstaticroutes>yes</bypassstaticroutes></filter> 
    	<shaper></shaper>
    	 <ipsec><preferredoldsa></preferredoldsa></ipsec> 
    	<aliases></aliases>
    	<proxyarp></proxyarp>
    	 <cron><minute>0</minute>
    			<hour>*</hour>
    			<mday>*</mday>
    			<month>*</month>
    			<wday>*</wday>
    			<who>root</who>
    			<command></command>/usr/bin/nice -n20 newsyslog 
    		 <minute>1,31</minute>
    			<hour>0-5</hour>
    			<mday>*</mday>
    			<month>*</month>
    			<wday>*</wday>
    			<who>root</who>
    			<command></command>/usr/bin/nice -n20 adjkerntz -a 
    		 <minute>1</minute>
    			<hour>3</hour>
    			<mday>1</mday>
    			<month>*</month>
    			<wday>*</wday>
    			<who>root</who>
    			<command></command>/usr/bin/nice -n20 /etc/rc.update_bogons.sh 
    		 <minute>*/60</minute>
    			<hour>*</hour>
    			<mday>*</mday>
    			<month>*</month>
    			<wday>*</wday>
    			<who>root</who>
    			<command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout 
    		 <minute>1</minute>
    			<hour>1</hour>
    			<mday>*</mday>
    			<month>*</month>
    			<wday>*</wday>
    			<who>root</who>
    			<command></command>/usr/bin/nice -n20 /etc/rc.dyndns.update 
    		 <minute>*/60</minute>
    			<hour>*</hour>
    			<mday>*</mday>
    			<month>*</month>
    			<wday>*</wday>
    			<who>root</who>
    			<command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot 
    		 <minute>*/5</minute>
    			<hour>*</hour>
    			<mday>*</mday>
    			<month>*</month>
    			<wday>*</wday>
    			<who>root</who>
    			<command></command>/usr/bin/nice -n20 /usr/local/bin/checkreload.sh 
    		 <minute>*/5</minute>
    			<hour>*</hour>
    			<mday>*</mday>
    			<month>*</month>
    			<wday>*</wday>
    			<who>root</who>
    			<command></command>/usr/bin/nice -n20 /etc/ping_hosts.sh</cron> 
    
    	 <rrd><enable></enable></rrd> 
    	 <revision><description>/firewall_nat.php made unknown change</description>
    		<time>1250338135</time></revision> 
    	 <installedpackages><package><name>rate</name>
    			<descr>This package adds a table of realtime bandwidth usage by IP address to Status -> Traffic Graphs</descr>
    			<category>Network Management</category>
    			<version>0.9</version>
    			<status>BETA</status>
    			<maintainer>jimp@pfsense.org</maintainer>
    			<required_version>1.2.2</required_version>
    			<depends_on_package_base_url>http://files.pfsense.com/packages/7/All/</depends_on_package_base_url>
    			<depends_on_package>rate-0.9.tbz</depends_on_package>
    			<config_file>http://www.pfsense.org/packages/config/rate/rate.xml</config_file>
    			<configurationfile>rate.xml</configurationfile></package> 
    		 <package><name>bandwidthd</name>
    			<website>http://bandwidthd.sourceforge.net/</website>
    			<descr>BandwidthD tracks usage of TCP/IP network subnets and builds html files with graphs to display utilization. Charts are built by individual IPs, and by default display utilization over 2 day, 8 day, 40 day, and 400 day periods. Furthermore, each ip address's utilization can be logged out at intervals of 3.3 minutes, 10 minutes, 1 hour or 12 hours in cdf format, or to a backend database server. HTTP, TCP, UDP, ICMP, VPN, and P2P traffic are color coded.</descr>
    			<category>System</category>
    			<version>2.0.1.2</version>
    			<status>BETA</status>
    			<required_version>1.2.1</required_version>
    			<depends_on_package_base_url>http://files.pfsense.org/packages/7/All/</depends_on_package_base_url>
    			<depends_on_package>bandwidthd-2.0.1_1.tbz</depends_on_package>
    			<depends_on_package>libiconv-1.11_1.tbz</depends_on_package>
    			<config_file>http://www.pfsense.org/packages/config/bandwidthd/bandwidthd.xml</config_file>
    			<configurationfile>bandwidthd.xml</configurationfile>
    			<noembedded>true</noembedded></package> 
    		 <package><name>diag_new_states</name>
    			<descr>Paul Taylors version of Diagnostics States which utilizes pftop.</descr>
    			<website>http://www.addressplus.net</website>
    			<category>Network Management</category>
    			<version>0.2</version>
    			<maintainer>ptaylor@addressplus.net</maintainer>
    			<required_version>1.2.1</required_version>
    			<status>BETA</status>
    			<config_file>http://www.pfsense.org/packages/config/diag_states_pt/diag_new_states.xml</config_file>
    			<configurationfile>http://www.pfsense.com/packages/config/diag_states_pt/diag_new_states.xml</configurationfile></package> 
    
    <menu>
    			<name>BandwidthD</name>
    
    			Services
    			<url>/pkg_edit.php?xml=bandwidthd.xml&id=0</url>
    		</menu>
    
    <menu>
    			<name>States New</name>
    			<tooltiptext>States by Paul Taylor</tooltiptext>
    			Diagnostics
    			<url>diag_new_states.php</url>
    		</menu>
    
    		 <tab><text>BandwidthD</text>
    			<url>/pkg_edit.php?xml=bandwidthd.xml&id=0</url>
    			 <active></active></tab> 
    		 <service><name>bandwidthd</name>
    			<rcfile>bandwidthd.sh</rcfile>
    			<executable>bandwidthd</executable></service> 
    		 <bandwidthd><config><active_interface>wan</active_interface>
    				 <skipintervals><graphcutoff><promiscuous><outputcdf><recovercdf><filter><drawgraphs>on</drawgraphs>
    				 <meta_refresh></meta_refresh></filter></recovercdf></outputcdf></promiscuous></graphcutoff></skipintervals></config></bandwidthd></installedpackages> 
    	 <ezshaper><step1><numberofconnections>1</numberofconnections></step1> 
    		 <step3><provider>Generic</provider>
    
    <address>
    			 <bandwidth><local0download><local0downloadspeed>Kb</local0downloadspeed>
    			 <conn0upload><conn0uploadspeed>Kb</conn0uploadspeed>
    			 <download><downloadspeed>Kb</downloadspeed>
    
    		 <step4><enable>on</enable>
    
    <address>192.168.1.119</address>
    
    			<bandwidth>5</bandwidth>
    			<bandwidthunit>Mb</bandwidthunit></step4> 
    		 <step5><bandwidth><bandwidthunit>%</bandwidthunit></bandwidth></step5> 
    		 <step7><msrdp><vnc><appleremotedesktop><pcanywhere><irc><jabber><icq><aolinstantmessenger><msnmessenger><teamspeak><pptp><ipsec><streamingmp3><rtsp><http><smtp><pop3><imap></imap></pop3></smtp></http></rtsp></streamingmp3></ipsec></pptp></teamspeak></msnmessenger></aolinstantmessenger></icq></jabber></irc></pcanywhere></appleremotedesktop></vnc></msrdp></step7> 
    		 <step2><downloadscheduler>CBQ</downloadscheduler>
    			<conn0uploadscheduler>CBQ</conn0uploadscheduler>
    			<conn0upload>30</conn0upload>
    			<conn0uploadspeed>Mb</conn0uploadspeed>
    			<conn0download>30</conn0download>
    			<conn0downloadspeed>Mb</conn0downloadspeed>
    			<conn0interface>wan</conn0interface></step2> 
    
    	<dnshaper></dnshaper>
    	 <l7shaper><container></container></l7shaper> 
    
    rules.debug:
    
    

    #System aliases

    loopback = "{ lo0 }"
    WAN = "{ rl0 }"
    LAN = "{ xl1 }"

    User Aliases

    set loginterface rl0
    set loginterface xl1
    set optimization normal
    set limit states 25000

    set skip on pfsync0

    scrub in on $WAN all  random-id  fragment reassemble
    scrub in on $LAN all  random-id  fragment reassemble

    nat-anchor "natearly/"
    nat-anchor "natrules/
    "

    Outbound NAT rules

    Subnets to NAT

    tonatsubnets = "{ 192.168.1.0/24  }"
    no nat on $WAN to port tftp
    nat on $WAN from $tonatsubnets port 500 to any port 500 -> 84.234.185.11/32 port 500
    nat on $WAN from $tonatsubnets port 4500 to any port 4500 -> 84.234.185.11/32 port 4500
    nat on $WAN from $tonatsubnets port 5060 to any port 5060 -> 84.234.185.11/32 port 5060
    nat on $WAN from $tonatsubnets to any -> 84.234.185.11/32 port 1024:65535

    #SSH Lockout Table
    table <sshlockout>persist

    Load balancing anchor

    rdr-anchor "relayd/*"

    TFTP proxy

    rdr-anchor "tftp-proxy/*"

    NAT Inbound Redirects

    rdr on rl0 proto tcp from any to 84.234.185.11 port 6667 -> 192.168.1.113
    rdr on rl0 proto tcp from any to 84.234.185.11 port 25 -> 192.168.1.113
    rdr on rl0 proto tcp from any to 84.234.185.11 port 110 -> 192.168.1.113
    rdr on rl0 proto { tcp udp } from any to 84.234.185.11 port 56035 -> 192.168.1.119
    rdr on rl0 proto tcp from any to 84.234.185.11 port 80 -> 192.168.1.113
    rdr on rl0 proto { tcp udp } from any to 84.234.185.11 port 53 -> 192.168.1.113
    rdr on rl0 proto { tcp udp } from any to 84.234.185.11 port 3306 -> 192.168.1.141
    rdr on rl0 proto { tcp udp } from any to 84.234.185.11 port 16881:16891 -> 192.168.1.141 port 16881:*

    UPnPd rdr anchor

    rdr-anchor "miniupnpd"

    anchor "relayd/*"
    anchor "firewallrules"
    #---------------------------------------------------------------------------

    default deny rules

    #---------------------------------------------------------------------------
    block in log all label "Default deny rule"
    block out log all label "Default deny rule"

    We use the mighty pf, we cannot be fooled.

    block quick proto { tcp, udp } from any port = 0 to any
    block quick proto { tcp, udp } from any to any port = 0

    Block all IPv6

    block in quick inet6 all
    block out quick inet6 all

    snort2c

    table <snort2c>persist
    block quick from <snort2c>to any label "Block snort2c hosts"
    block quick from any to <snort2c>label "Block snort2c hosts"

    package manager early specific hook

    anchor "packageearly"

    carp

    anchor "carp"

    SSH lockout

    block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"
    table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"
    antispoof for rl0

    allow our DHCP client out to the WAN

    anchor "wandhcp"
    pass in on $WAN proto udp from any port = 67 to any port = 68 label "allow dhcp client out WAN"
    pass out on $WAN proto udp from any port = 68 to any port = 67 label "allow dhcp client out WAN"

    Not installing DHCP server firewall rules for WAN which is configured for DHCP.

    antispoof for xl1

    allow access to DHCP server on LAN

    anchor "dhcpserverLAN"
    pass in on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
    pass in on $LAN proto udp from any port = 68 to 192.168.1.1 port = 67 label "allow access to DHCP server"
    pass out on $LAN proto udp from 192.168.1.1 port = 67 to any port = 68 label "allow access to DHCP server"
    anchor "spoofing"

    loopback

    anchor "loopback"
    pass in on $loopback all label "pass loopback"
    pass out on $loopback all label "pass loopback"

    anchor "firewallout"

    let out anything from the firewall host itself and decrypted IPsec traffic

    pass out all keep state label "let out anything from firewall host itself"

    make sure the user cannot lock himself out of the webConfigurator or SSH

    anchor "anti-lockout"
    pass in quick on xl1 from any to (xl1) keep state label "anti-lockout rule"

    NAT Reflection rules

    User-defined rules follow

    pass  in  quick  on $WAN reply-to ( rl0 84.234.185.1 )  proto tcp  from any to  192.168.1.113 port = 6667  label "USER_RULE: NAT deppa-irc"
    pass  in  quick  on $WAN reply-to ( rl0 84.234.185.1 )  proto tcp  from any to  192.168.1.113 port = 80  label "USER_RULE: NAT deppa-web"
    pass  in  quick  on $WAN reply-to ( rl0 84.234.185.1 )  proto tcp  from any to  192.168.1.113 port = 25  label "USER_RULE: NAT deppa-smtp"
    pass  in  quick  on $WAN reply-to ( rl0 84.234.185.1 )  proto tcp  from any to  192.168.1.113 port = 110  label "USER_RULE: NAT deppa-pop3"
    pass  in  quick  on $WAN reply-to ( rl0 84.234.185.1 )  proto tcp  from any to  192.168.1.113 port = 22  label "USER_RULE: NAT deppa-ssh"
    pass  in  quick  on $WAN reply-to ( rl0 84.234.185.1 )  proto { tcp udp }  from any to  192.168.1.119 port = 56035  label "USER_RULE: NAT terje-torrent"
    pass  in  quick  on $LAN  from 192.168.1.0/24 to any keep state  label "USER_RULE: Default allow LAN to any rule"
    pass  in  quick  on $WAN reply-to ( rl0 84.234.185.1 )  proto tcp  from any to  192.168.1.113 port = 80  label "USER_RULE: NAT deppa-www"
    pass  in  quick  on $WAN reply-to ( rl0 84.234.185.1 )  proto { tcp udp }  from any to  192.168.1.113 port = 53  label "USER_RULE: NAT deppa-dns"
    pass  in  quick  on $WAN reply-to ( rl0 84.234.185.1 )  proto { tcp udp }  from any to  192.168.1.141 port = 3306  label "USER_RULE: NAT technot-mysql"
    pass  in  quick  on $WAN reply-to ( rl0 84.234.185.1 )  proto { tcp udp }  from any to  192.168.1.141 port 16880 >< 16892  label "USER_RULE: NAT technot-utorrent"

    VPN Rules

    package manager late specific hook

    anchor "packagelate"

    anchor "limitingesr"

    uPnPd

    anchor "miniupnpd"</virusprot></virusprot></sshlockout></snort2c></snort2c></snort2c></sshlockout>



  • Everything is OK.



  • even so, unchecking the "disable nat reflection", results in no nat at all :\

    (without the dns split tho..)

    any ideas?



  • You have the nat rules there from what you posted so i will not comment any further.


Log in to reply