NAT not working…



  • I had an install of pfSense, and all was well until it stopped working, and I cannot explain why.

    I have the interfaces set to the respective networks on which they reside, and I can see the external network and internal network from the console via a ping.

    Ping output:

    PING google.com (74.125.45.100) from 192.168.1.2: 56 data bytes
    64 bytes from 74.125.45.100: icmp_seq=0 ttl=50 time=306.551 ms
    64 bytes from 74.125.45.100: icmp_seq=1 ttl=50 time=395.382 ms
    64 bytes from 74.125.45.100: icmp_seq=2 ttl=50 time=309.990 ms
    
    --- google.com ping statistics ---
    3 packets transmitted, 3 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 306.551/337.308/395.382/41.089 ms
    

    Here is my internal ping:

    Ping output:

    PING 192.168.3.5 (192.168.3.5) from 192.168.3.4: 56 data bytes
    64 bytes from 192.168.3.5: icmp_seq=0 ttl=128 time=0.251 ms
    64 bytes from 192.168.3.5: icmp_seq=1 ttl=128 time=18.753 ms
    64 bytes from 192.168.3.5: icmp_seq=2 ttl=128 time=0.165 ms
    
    --- 192.168.3.5 ping statistics ---
    3 packets transmitted, 3 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 0.165/6.390/18.753/8.742 ms
    

    I am able to resolve DNS via DNS fowarding:

    > google.com
    Server:  UnKnown
    Address:  192.168.3.4
    
    Non-authoritative answer:
    Name:    google.com
    Addresses:  74.125.67.100
              74.125.127.100
              74.125.45.100
    

    I've checked "Automatic outbound NAT rule generation (IPsec passthrough)" and applied the changes. I even rebooted the machine.

    Under rules, this is the default rule

    	* 	LAN net 	* 	* 	* 	* 	  	Default LAN -> any  
    

    I disabled the firewall from blocking "bogon" IP's and RFC 1918 IP's because my firewall is behind a DSL modem that issues private IP's

    I set an eternal ping to hit google.com from a machine on the LAN, while watching the state table and the system log for the firewall. It does not appear that the firewall is is stopping the traffic, but I cannot see where a state is being established for any of google's IP's.

    Here is a sample from the state table with a port forward to my internal machine…

    tcp 	192.168.3.5:58660 <- 192.168.1.2:58660 <- 212.21.255.213:51804 	ESTABLISHED:ESTABLISHED 	
    tcp 	212.21.255.213:51804 -> 192.168.3.5:58660 	ESTABLISHED:ESTABLISHED 	
    tcp 	192.168.3.5:58660 <- 192.168.1.2:58660 <- 8.20.85.50:61834 	ESTABLISHED:ESTABLISHED 	
    tcp 	8.20.85.50:61834 -> 192.168.3.5:58660 	ESTABLISHED:ESTABLISHED 	
    tcp 	192.168.3.5:58660 <- 192.168.1.2:58660 <- 83.237.36.150:1151 	ESTABLISHED:ESTABLISHED 	
    tcp 	83.237.36.150:1151 -> 192.168.3.5:58660 	ESTABLISHED:ESTABLISHED 	
    tcp 	192.168.3.5:58660 <- 192.168.1.2:58660 <- 72.84.151.171:50894 	ESTABLISHED:ESTABLISHED 	
    tcp 	72.84.151.171:50894 -> 192.168.3.5:58660 	ESTABLISHED:ESTABLISHED 	
    tcp 	192.168.3.5:58660 <- 192.168.1.2:58660 <- 8.20.85.50:13462 	ESTABLISHED:ESTABLISHED 	
    tcp 	8.20.85.50:13462 -> 192.168.3.5:58660 	ESTABLISHED:ESTABLISHED 	
    tcp 	192.168.3.5:58660 <- 192.168.1.2:58660 <- 190.177.34.63:2952 	ESTABLISHED:ESTABLISHED 	
    tcp 	190.177.34.63:2952 -> 192.168.3.5:58660 	ESTABLISHED:ESTABLISHED 	
    tcp 	192.168.3.5:58660 <- 192.168.1.2:58660 <- 86.145.216.80:51438 	ESTABLISHED:ESTABLISHED 	
    tcp 	86.145.216.80:51438 -> 192.168.3.5:58660 	ESTABLISHED:ESTABLISHED 	
    tcp 	192.168.3.5:58660 <- 192.168.1.2:58660 <- 188.162.29.64:9643 	ESTABLISHED:ESTABLISHED 	
    

    The best diagnoses I can give is that NAT is not working from the LAN interface to the WAN interface, as it appears that traffic is being routed from the WAN interface to LAN interface, and I have no idea why.


Log in to reply