NAT not working…
-
I had an install of pfSense, and all was well until it stopped working, and I cannot explain why.
I have the interfaces set to the respective networks on which they reside, and I can see the external network and internal network from the console via a ping.
Ping output:
PING google.com (74.125.45.100) from 192.168.1.2: 56 data bytes 64 bytes from 74.125.45.100: icmp_seq=0 ttl=50 time=306.551 ms 64 bytes from 74.125.45.100: icmp_seq=1 ttl=50 time=395.382 ms 64 bytes from 74.125.45.100: icmp_seq=2 ttl=50 time=309.990 ms --- google.com ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 306.551/337.308/395.382/41.089 ms
Here is my internal ping:
Ping output:
PING 192.168.3.5 (192.168.3.5) from 192.168.3.4: 56 data bytes 64 bytes from 192.168.3.5: icmp_seq=0 ttl=128 time=0.251 ms 64 bytes from 192.168.3.5: icmp_seq=1 ttl=128 time=18.753 ms 64 bytes from 192.168.3.5: icmp_seq=2 ttl=128 time=0.165 ms --- 192.168.3.5 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 0.165/6.390/18.753/8.742 ms
I am able to resolve DNS via DNS fowarding:
> google.com Server: UnKnown Address: 192.168.3.4 Non-authoritative answer: Name: google.com Addresses: 74.125.67.100 74.125.127.100 74.125.45.100
I've checked "Automatic outbound NAT rule generation (IPsec passthrough)" and applied the changes. I even rebooted the machine.
Under rules, this is the default rule
* LAN net * * * * Default LAN -> any
I disabled the firewall from blocking "bogon" IP's and RFC 1918 IP's because my firewall is behind a DSL modem that issues private IP's
I set an eternal ping to hit google.com from a machine on the LAN, while watching the state table and the system log for the firewall. It does not appear that the firewall is is stopping the traffic, but I cannot see where a state is being established for any of google's IP's.
Here is a sample from the state table with a port forward to my internal machine…
tcp 192.168.3.5:58660 <- 192.168.1.2:58660 <- 212.21.255.213:51804 ESTABLISHED:ESTABLISHED tcp 212.21.255.213:51804 -> 192.168.3.5:58660 ESTABLISHED:ESTABLISHED tcp 192.168.3.5:58660 <- 192.168.1.2:58660 <- 8.20.85.50:61834 ESTABLISHED:ESTABLISHED tcp 8.20.85.50:61834 -> 192.168.3.5:58660 ESTABLISHED:ESTABLISHED tcp 192.168.3.5:58660 <- 192.168.1.2:58660 <- 83.237.36.150:1151 ESTABLISHED:ESTABLISHED tcp 83.237.36.150:1151 -> 192.168.3.5:58660 ESTABLISHED:ESTABLISHED tcp 192.168.3.5:58660 <- 192.168.1.2:58660 <- 72.84.151.171:50894 ESTABLISHED:ESTABLISHED tcp 72.84.151.171:50894 -> 192.168.3.5:58660 ESTABLISHED:ESTABLISHED tcp 192.168.3.5:58660 <- 192.168.1.2:58660 <- 8.20.85.50:13462 ESTABLISHED:ESTABLISHED tcp 8.20.85.50:13462 -> 192.168.3.5:58660 ESTABLISHED:ESTABLISHED tcp 192.168.3.5:58660 <- 192.168.1.2:58660 <- 190.177.34.63:2952 ESTABLISHED:ESTABLISHED tcp 190.177.34.63:2952 -> 192.168.3.5:58660 ESTABLISHED:ESTABLISHED tcp 192.168.3.5:58660 <- 192.168.1.2:58660 <- 86.145.216.80:51438 ESTABLISHED:ESTABLISHED tcp 86.145.216.80:51438 -> 192.168.3.5:58660 ESTABLISHED:ESTABLISHED tcp 192.168.3.5:58660 <- 192.168.1.2:58660 <- 188.162.29.64:9643 ESTABLISHED:ESTABLISHED
The best diagnoses I can give is that NAT is not working from the LAN interface to the WAN interface, as it appears that traffic is being routed from the WAN interface to LAN interface, and I have no idea why.