Natted win-server doesn´t see himself



  • Hello,
    I´m not sure which part of the forum is best, so I let it here.

    There are several servers with some linuxes and some with W2003/2008 server behind a pfsense with failover setup and NAT.
    The x-servers can reach or see themselves (ping from console to hostname or public IP), Windows-Servers can´t.
    Is that normal or what can i do to let him see himself?
    Thanks for all hints.
    dark.fibre



  • Search the forum for "NAT reflection", where you'll find a number of threads with the solution - assuming of course that the Windows servers are trying to access them with the public IP addresses.



  • Hi,

    thanks for let me look for NAT Reflection.
    Let me have a few words more about the issue.

    We had our setup with ONE pfsense for about 2 years, last was 1.2.2. Last week we changed to a setup with TWO in failover mode, Rel 1.2.3, same rule, same 1:1 NATs, same VIPs, same one automagic created outbound-nat for the internal lan.
    Now we have issues, they all are about servers don´t see themselves, IMAP-Webmail (Roundcube) doesn´t work, and some similar.

    Is there a difference in handling NAT between 1.2.2 and 1.2.3?
    And can we do some outbound-NATs "on top" on our normal 1:1-NATs without breaking the pfsense?

    Thanks again
    dark.fibre



  • The difference probably relates to the fact that you now have 2.  Unfortunately with no meaningful details it's hard for anybody to help you.

    How about a simple network diagram, showing IP addresses.  We also need details of what you're doing when you say "servers don't see themselves".



  • There is currently no NAT reflection implementation for 1:1 NAT (one may make its way into 2.0, however).  A workaround currently available is to enable NAT reflection and use port forwards for the ports you want to access, so that it makes NAT reflection rules on those ports.



  • Hi,
    some more details to our issue:

    2 pfsenses in failovermode/CARP
                           |
                           |
                         switch
                           |
                           |
                    servers (linux/win)

    public Ips 2xx.xxx.xxx via VIP
    All servers in lan are in 192.168.114.0

    All servers with 1:1 NAT and specific rules,

    Problem:
    ping or traceroute from a server, say 192.168.114.5 to his public IP or his hostname doesn´t work,
    ping or traceroute to any other server in the same subnet or from any other is ok.
    This since we changed from one standalone to two carp-pfsenses.

    Any other services are well (There are web-/mail-/db-servers).

    Hope this helps to help.
    dark.fibre



  • Does it work if you use only the LAN IP addresses?

    For the hosts that do work, are you using a public IP address or hostname when it works?  What is different about the problem hosts?  Are they running a different operating system, have a different default gateway, what?



  • ping or trace from one private ip to another: ok
    os: some linuxes, win 2003/2008
    all have same gateway, ns
    all host have the same problem: they cannot see/ping themselve
    all hosts can ping/see the others



  • If I were you I would set up a split dns and use only dns names for accessing local services, not ip addresses:

    http://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F



  • So, it's only if they try to access their own public IP or hostname that there's a problem?  If so, what is the problem?  There's no reason for any host to do that in normal operation.



  • Hi all,

    first: thanks for all answers!

    We solved the problem with Split DNS.
    @KPA: thanks!!

    Why do we need this:
    RedDot / OpenText need it for the Backend
    Typo3 needs it for search Content and produce some new out of it
    IMAP-Client RoundCube needs it for Identification

    Once again: thanks for all ideas!!

    dark.fibre


Log in to reply