Auto Outbound NAT not forwarding to LAN host

viragomann

@mirak said in Auto Outbound NAT not forwarding to LAN host:

Example: ping 1.1.1.1 from LAN HOST shows pfsense sending and forwarding the icmp packets
pfsense tcpdump (tcpdump -i vtnet1 -nnl icmp)

I assume, vtnet1 is the LAN?

Check the network settings on both machines. Maybe you stated a wrong mask on pfSense.

mirak

@viragomann Yes, vtnet1 is the LAN.

Netmask is okay on both sides:

pfsense

vtnet1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	description: LAN
	options=800b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE>
	ether fa:16:3e:45:4b:ab
	inet6 fe80::f816:3eff:fe45:4bab%vtnet1 prefixlen 64 scopeid 0x2
	inet 10.80.70.1 netmask 0xffffff00 broadcast 10.80.70.255
	media: Ethernet 10Gbase-T <full-duplex>
	status: active
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

Linux machine

2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc fq_codel state UP group default qlen 1000
    link/ether fa:16:3e:d1:f0:b5 brd ff:ff:ff:ff:ff:ff
    altname enp0s3
    inet 10.80.70.32/24 brd 10.80.70.255 scope global ens3
       valid_lft forever preferred_lft forever
    inet6 fe80::f816:3eff:fed1:f0b5/64 scope link 
       valid_lft forever preferred_lft forever

viragomann

@mirak
Seems to be Proxmox VM.

Did you obey the installation guide? Especially disabling network Checksum Offloading?

mirak

@viragomann Both instances are running in openstack, not proxmox. I didn't see a guide, but I'll search now.

viragomann

@mirak
I assume, it is also applied to this.

https://docs.netgate.com/pfsense/en/latest/recipes/virtualize-proxmox-ve.html

mirak

@viragomann I tried to disable check summing without success.

I think the majority of that guide doesn't apply. The pfsense machine does have internet access, NAT is the only thing not functioning correctly... it doesn't seem to be a connectivity issue unless I'm missing something.

mirak

Yes, NAT is just failing to forward that packet to the LAN host. pfSense is able to communicate with the lan host just fine:

[2.6.0-RELEASE][admin@pfsense]/root: ssh ubuntu@10.80.70.32
ubuntu@10.80.70.32's password: 
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-71-generic x86_64)

and access the internet:

[2.6.0-RELEASE][admin@pfsense]/root: ping google.com
PING google.com (172.217.13.174): 56 data bytes
64 bytes from 172.217.13.174: icmp_seq=0 ttl=110 time=1.464 ms

I have some windows machines on the LAN that are also unable to receive NAT responses. I've also attempted manual NAT without success.

viragomann

@mirak said in Auto Outbound NAT not forwarding to LAN host:

I think the majority of that guide doesn't apply.

However, the stated settings within pfSense are applicable, since its due to KVM hypervisor.

I would tear it down and install a new VM.

mirak

@viragomann said in Auto Outbound NAT not forwarding to LAN host:

However, the stated settings within pfSense are applicable, since its due to KVM hypervisor.
I would tear it down and install a new VM.

Agreed. I've reimaged the VM, reconfigured everything including disabling checksums. Still stuck on NAT return packets never reach the host :(

viragomann

@mirak
So I would look if there is any setting needed to allow forwarding in the hypervisor.