Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT port forwarding to VLAN / WAN to VLAN routing issue

    Scheduled Pinned Locked Moved
    NAT
    1
    1
    63
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AbeRiddle
      last edited by AbeRiddle

      Hello, i already spend too many hours figuring it out by myself.
      Disclaimer: YES i have read EVERY related post and port forwarding testing procedure already.

      My Setup:

      • Two netgate 6100 in HA mode inside my private lan for testing/setup
      • each has a private WAN ip, both share a CARP IP
      • Each two SPF+ are LACP bond to layers.
      • VLAN69 for management, VLAN10 for traffic, both assigned to the bond
      • "Block private networks" not enabled on wan/each interface
      • Firewall rules are now allow all on all protocolls from all sources to all destinations on WAN/VLAN10/VLAN69 (testing! wanted to make sure firewall is not the problem)
      • Outbound NAT rules set to hybrid
      • PURE NAT enabled
        For the setup i did exactly https://www.youtube.com/watch?v=-1Og5ogkyZY

      What was my goal?
      simple as port forwarding 8006 on WAN Carp IP to 10.69.0.100 (its a /16)
      .. connection timeout whatever i do.

      Then i dug deeper. And tried to port forward ICMP from the WAN (CARP or node interface) ip to 10.69.0.100. Same connection timeout. Interesting i can ping 10.69.0.2 (which is the VLAN69 gateway interface of the primary/active node) via NAT but not 10.69.0.3 (VLAN69 gateway of secondary node) This will be to PURE NAT i think? Because in order to ping10.69.0.3 the package would have to go through the LACP bond interface. 10.69.0.2 can be resolved internally.

      Okay, lets try more on pings. From the VLAN side itself everything can ping everything. No problem at all. So the problem seems to be on PfSense side. Also when i for example firewall block traffic from VLAN69 to VLAN10, then ping does not work anymore. So firewalls are also correctly applied.

      In routing i can see that 10.69.0.0/16 is routed correctly to the LACP bond.

      Lets talk about Packet Capture.
      When pining from WAN (CARP or node interface IP) to 10.69.0.100 (or any other ip in that vlan):

      • Can see the ping packet on the WAN interface
      • Cant see the ping packet on the VLAN69 interface. (not even the request!) From my understanding it should pop up there?!
      • Also in the switching layer i cant see the packet. So that indicates me that the ping package never leaves the netgate nor gets forwarded to the VLAN69 interface.

      All other pings from everywhere to everywhere (also inter vlan pings) i can capture on the right interface.

      Even when i ping 192.168.2.90 (The WAN CARP IP + NAT rule ICMP to 10.69.0.X) from inside VLAN69 i can reach every device. So just the ping when it comes from WAN side does not get through.

      Reminder Ping/ICMP NAT here is just for testing the hell out of this rabbit hole. Same behaviour observed when forwarding port 22/8006

      In the ARP table i can also see all the IPs listed like 10.69.0.100

      TBH i feel like i have tried everything and did everything right. Triple checked all settings. Not having any clue what i am doing wrong. Seeking for help here now :)

      Tanks in advance, i hope my description was good to understand - in my brain at least it makes sense :D

      1 Reply Last reply Reply Quote 0
      • First post
        Last post