Auto Outbound NAT not forwarding to LAN host

mirak

I'm sure I'm missing something trivial, but outbound NAT isn't currently functioning 100%.

All hosts on the LAN don't receive the return packets from the NAT.

LAN Host -> pfSense works as per tcpdump.
pfSense NAT -> Internet works as per tcpdump
Internet -> pfSense works as per tcpdump
pfSense NAT -> LAN Host never gets sent

Example: ping 1.1.1.1 from LAN HOST shows pfsense sending and forwarding the icmp packets
pfsense tcpdump (tcpdump -i vtnet1 -nnl icmp)

15:53:30.461010 IP 10.80.70.32 > 1.1.1.1: ICMP echo request, id 19, seq 311, length 64
15:53:30.469065 IP 1.1.1.1 > 10.80.70.32: ICMP echo reply, id 19, seq 311, length 64

But a dump on the LAN host shows that the packet never arrives:

root@linux:/home/ubuntu# tcpdump -i any -nnl icmp
16:03:57.893579 ens3  Out IP 10.80.70.32 > 1.1.1.1: ICMP echo request, id 20, seq 479, length 64
16:03:58.917678 ens3  Out IP 10.80.70.32 > 1.1.1.1: ICMP echo request, id 20, seq 480, length 64
16:03:59.941579 ens3  Out IP 10.80.70.32 > 1.1.1.1: ICMP echo request, id 20, seq 481, length 64
16:04:00.965605 ens3  Out IP 10.80.70.32 > 1.1.1.1: ICMP echo request, id 20, seq 482, length 64

There are no filters on this machine:

root@linux:/home/ubuntu# iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

viragomann

@mirak said in Auto Outbound NAT not forwarding to LAN host:

Example: ping 1.1.1.1 from LAN HOST shows pfsense sending and forwarding the icmp packets
pfsense tcpdump (tcpdump -i vtnet1 -nnl icmp)

I assume, vtnet1 is the LAN?

Check the network settings on both machines. Maybe you stated a wrong mask on pfSense.

mirak

@viragomann Yes, vtnet1 is the LAN.

Netmask is okay on both sides:

pfsense

vtnet1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	description: LAN
	options=800b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE>
	ether fa:16:3e:45:4b:ab
	inet6 fe80::f816:3eff:fe45:4bab%vtnet1 prefixlen 64 scopeid 0x2
	inet 10.80.70.1 netmask 0xffffff00 broadcast 10.80.70.255
	media: Ethernet 10Gbase-T <full-duplex>
	status: active
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

Linux machine

2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc fq_codel state UP group default qlen 1000
    link/ether fa:16:3e:d1:f0:b5 brd ff:ff:ff:ff:ff:ff
    altname enp0s3
    inet 10.80.70.32/24 brd 10.80.70.255 scope global ens3
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fed1:f0b5/64 scope link 
       valid_lft forever preferred_lft forever

viragomann

@mirak
Seems to be Proxmox VM.

Did you obey the installation guide? Especially disabling network Checksum Offloading?

mirak

@viragomann Both instances are running in openstack, not proxmox. I didn't see a guide, but I'll search now.

viragomann

@mirak
I assume, it is also applied to this.

https://docs.netgate.com/pfsense/en/latest/recipes/virtualize-proxmox-ve.html

mirak

@viragomann I tried to disable check summing without success.

I think the majority of that guide doesn't apply. The pfsense machine does have internet access, NAT is the only thing not functioning correctly... it doesn't seem to be a connectivity issue unless I'm missing something.

mirak

Yes, NAT is just failing to forward that packet to the LAN host. pfSense is able to communicate with the lan host just fine:

[2.6.0-RELEASE][admin@pfsense]/root: ssh ubuntu@10.80.70.32
ubuntu@10.80.70.32's password: 
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-71-generic x86_64)

and access the internet:

[2.6.0-RELEASE][admin@pfsense]/root: ping google.com
PING google.com (172.217.13.174): 56 data bytes
64 bytes from 172.217.13.174: icmp_seq=0 ttl=110 time=1.464 ms

I have some windows machines on the LAN that are also unable to receive NAT responses. I've also attempted manual NAT without success.

viragomann

@mirak said in Auto Outbound NAT not forwarding to LAN host:

I think the majority of that guide doesn't apply.

However, the stated settings within pfSense are applicable, since its due to KVM hypervisor.

I would tear it down and install a new VM.

mirak

@viragomann said in Auto Outbound NAT not forwarding to LAN host:

However, the stated settings within pfSense are applicable, since its due to KVM hypervisor.
I would tear it down and install a new VM.

Agreed. I've reimaged the VM, reconfigured everything including disabling checksums. Still stuck on NAT return packets never reach the host :(

viragomann

@mirak
So I would look if there is any setting needed to allow forwarding in the hypervisor.