Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Natted win-server doesn´t see himself

    Scheduled Pinned Locked Moved NAT
    11 Posts 4 Posters 3.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dark.fibre
      last edited by

      Hello,
      I´m not sure which part of the forum is best, so I let it here.

      There are several servers with some linuxes and some with W2003/2008 server behind a pfsense with failover setup and NAT.
      The x-servers can reach or see themselves (ping from console to hostname or public IP), Windows-Servers can´t.
      Is that normal or what can i do to let him see himself?
      Thanks for all hints.
      dark.fibre

      1 Reply Last reply Reply Quote 0
      • Cry HavokC
        Cry Havok
        last edited by

        Search the forum for "NAT reflection", where you'll find a number of threads with the solution - assuming of course that the Windows servers are trying to access them with the public IP addresses.

        1 Reply Last reply Reply Quote 0
        • D
          dark.fibre
          last edited by

          Hi,

          thanks for let me look for NAT Reflection.
          Let me have a few words more about the issue.

          We had our setup with ONE pfsense for about 2 years, last was 1.2.2. Last week we changed to a setup with TWO in failover mode, Rel 1.2.3, same rule, same 1:1 NATs, same VIPs, same one automagic created outbound-nat for the internal lan.
          Now we have issues, they all are about servers don´t see themselves, IMAP-Webmail (Roundcube) doesn´t work, and some similar.

          Is there a difference in handling NAT between 1.2.2 and 1.2.3?
          And can we do some outbound-NATs "on top" on our normal 1:1-NATs without breaking the pfsense?

          Thanks again
          dark.fibre

          1 Reply Last reply Reply Quote 0
          • Cry HavokC
            Cry Havok
            last edited by

            The difference probably relates to the fact that you now have 2.  Unfortunately with no meaningful details it's hard for anybody to help you.

            How about a simple network diagram, showing IP addresses.  We also need details of what you're doing when you say "servers don't see themselves".

            1 Reply Last reply Reply Quote 0
            • E
              Efonnes
              last edited by

              There is currently no NAT reflection implementation for 1:1 NAT (one may make its way into 2.0, however).  A workaround currently available is to enable NAT reflection and use port forwards for the ports you want to access, so that it makes NAT reflection rules on those ports.

              1 Reply Last reply Reply Quote 0
              • D
                dark.fibre
                last edited by

                Hi,
                some more details to our issue:

                2 pfsenses in failovermode/CARP
                                       |
                                       |
                                     switch
                                       |
                                       |
                                servers (linux/win)

                public Ips 2xx.xxx.xxx via VIP
                All servers in lan are in 192.168.114.0

                All servers with 1:1 NAT and specific rules,

                Problem:
                ping or traceroute from a server, say 192.168.114.5 to his public IP or his hostname doesn´t work,
                ping or traceroute to any other server in the same subnet or from any other is ok.
                This since we changed from one standalone to two carp-pfsenses.

                Any other services are well (There are web-/mail-/db-servers).

                Hope this helps to help.
                dark.fibre

                1 Reply Last reply Reply Quote 0
                • Cry HavokC
                  Cry Havok
                  last edited by

                  Does it work if you use only the LAN IP addresses?

                  For the hosts that do work, are you using a public IP address or hostname when it works?  What is different about the problem hosts?  Are they running a different operating system, have a different default gateway, what?

                  1 Reply Last reply Reply Quote 0
                  • D
                    dark.fibre
                    last edited by

                    ping or trace from one private ip to another: ok
                    os: some linuxes, win 2003/2008
                    all have same gateway, ns
                    all host have the same problem: they cannot see/ping themselve
                    all hosts can ping/see the others

                    1 Reply Last reply Reply Quote 0
                    • K
                      kpa
                      last edited by

                      If I were you I would set up a split dns and use only dns names for accessing local services, not ip addresses:

                      http://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F

                      1 Reply Last reply Reply Quote 0
                      • Cry HavokC
                        Cry Havok
                        last edited by

                        So, it's only if they try to access their own public IP or hostname that there's a problem?  If so, what is the problem?  There's no reason for any host to do that in normal operation.

                        1 Reply Last reply Reply Quote 0
                        • D
                          dark.fibre
                          last edited by

                          Hi all,

                          first: thanks for all answers!

                          We solved the problem with Split DNS.
                          @KPA: thanks!!

                          Why do we need this:
                          RedDot / OpenText need it for the Backend
                          Typo3 needs it for search Content and produce some new out of it
                          IMAP-Client RoundCube needs it for Identification

                          Once again: thanks for all ideas!!

                          dark.fibre

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.