Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    schedule with nat error

    Scheduled Pinned Locked Moved NAT
    natrulesmulti-lan
    2 Posts 2 Posters 959 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      alexhen
      last edited by alexhen

      Hello,

      I have two interfaces in my PfSense one 192.168.X.X and a second 172.40.X.X, on both of them i run a certificate generator ("let's encrypt" and "certify the web").
      I have created two nat rules that opens port 80 for the renewal and authentication for both interfaces, the certificate generator programs renew on different time periods so i created a schedules that corresponds with their renewal periods and assigned to each rule it own schedule so they wont collide.
      My problem that PfSense ignores my schedules and always sends the packets to 172.40.X.X.
      When i use the rule without any scheduling the problem does not occur.

      Is this a bug or am i using the scheduling feature wrong?

      this are the two rules :

      	<id></id>
	<tracker>1661920859</tracker>
	<type>pass</type>
	<interface>wan</interface>
	<ipprotocol>inet</ipprotocol>
	<tag></tag>
	<tagged></tagged>
	<max></max>
	<max-src-nodes></max-src-nodes>
	<max-src-conn></max-src-conn>
	<max-src-states></max-src-states>
	<statetimeout></statetimeout>
	<statetype><![CDATA[keep state]]></statetype>
	<os></os>
	<protocol>tcp</protocol>
	<source>
		<any></any>
	</source>
	<destination>
		<address>192.168.X.X</address>
		<port>80</port>
	</destination>
	<log></log>
	<descr><![CDATA[NAT 80]]></descr>
	<sched>CertRenew</sched>
	<associated-rule-id>nat_630ee65bdab2c5.31939067</associated-rule-id>


	<id></id>
	<tracker>1647841686</tracker>
	<type>pass</type>
	<interface>wan</interface>
	<ipprotocol>inet</ipprotocol>
	<tag></tag>
	<tagged></tagged>
	<max></max>
	<max-src-nodes></max-src-nodes>
	<max-src-conn></max-src-conn>
	<max-src-states></max-src-states>
	<statetimeout></statetimeout>
	<statetype><![CDATA[keep state]]></statetype>
	<os></os>
	<protocol>tcp</protocol>
	<source>
		<any></any>
	</source>
	<destination>
		<address>172.40.X.X</address>
		<port>80</port>
	</destination>
	<log></log>
	<descr><![CDATA[NAT 80 2]]></descr>
	<sched>CertRenew2</sched>
	<associated-rule-id>nat_62381196dc55b8.45929892</associated-rule-id>

      Thank you in advance

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @alexhen
        last edited by

        @alexhen
        You cannot schedule NAT rules.

        You have scheduled the associated firewall rules though, but even if these rules are disabled, the NAT rules are still active and do what they meant to do and the first one wins.

        Not really sure what to try to achieve with this idea. If you just have two internal servers listening on port 80 set up HAproxy. Doing so you can also let HAproxy do the lets encrypt stuff.
        Also you can run a proxy on one of the backends themself.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.