Simple NAT not working
-
I have a number of NAT rules that work fine. I set up a new one for testing, duplicating one existing rule that works but the new test is not working.
Port 5081 answers on the LAN so it's a valid service but it gets blocked on WAN NAT
-
@peterlecki Is the 172.91.x.x address in the source alias? Getting to the default deny rule means it's not matching another rule...
-
Yes, 172.91 is the source.
I am aware that "default" is when it hits no other rules. Hence why I'm confused about it right now. I even attempted to create an easy rule from the log but it still gets default deny.Before the rule:
Rule created as a troubleshooting step:
Still get default deny:
-
@peterlecki Try a filter reload?
-
@steveits Sorry, I'm coming into this a little bit late. You say that you "duplicated one existing rule", so I'm wondering if you made the necessary tweaks to the dup'ed NAT rules. When you make a NAT rule, you can choose to auto-create a corresponding firewall rule. Did you check to make sure that happened correctly?
You don't specifically show a screenshot of your NAT rules, but are they pointing to the correct WAN firewall allow rules? You say you duplicated the other rules, maybe they are pointing to the first "NAT EDI" WAN firewall rule?
There's a drop down menu, on each NAT rule, down near the bottom, called "Filter rule association", where you pick what happens in the firewall rule section. If you pick "create new associated filter rule" when making a new NAT rule, it will auto make a firewall rule. Since you already have the firewall rules created (per your screenshot), you can pick them in the appropriate NAT rules. That should get NAT traffic moving, like expected.
-
-
@steveits
Tried filter reload and noticed an error at the end and it never completing:There were error(s) loading the rules: /tmp/rules.debug:25: cannot define table pfB_Asia_v4: Cannot allocate memory - The line in question reads [25]: table <pfB_Asia_v4> persist file "/var/db/aliastables/pfB_Asia_v4.txt"So I temporarily disabled pfBlocker and filter reload then completed and my new NAT started working. I then re-enabled pfBlocker and filter reload does not complete, my new NAT works.
I must now obviously research the pfBlocker issue.
-
@peterlecki ensure “Firewall Maximum Table Entries” in system/advanced/firewall&NAT is set to a minimum of 2 million.increase if necessary.
-
System>Advanced>Firewall & NAT
Firewall Maximum Table Entries=10000000
Firewall Maximum States=300000
pfBlocker no longer preventing completion of Filter Reload
