Natted win-server doesn´t see himself

dark.fibre

Hello,
I´m not sure which part of the forum is best, so I let it here.

There are several servers with some linuxes and some with W2003/2008 server behind a pfsense with failover setup and NAT.
The x-servers can reach or see themselves (ping from console to hostname or public IP), Windows-Servers can´t.
Is that normal or what can i do to let him see himself?
Thanks for all hints.
dark.fibre

Cry Havok

Search the forum for "NAT reflection", where you'll find a number of threads with the solution - assuming of course that the Windows servers are trying to access them with the public IP addresses.

dark.fibre

Hi,

thanks for let me look for NAT Reflection.
Let me have a few words more about the issue.

We had our setup with ONE pfsense for about 2 years, last was 1.2.2. Last week we changed to a setup with TWO in failover mode, Rel 1.2.3, same rule, same 1:1 NATs, same VIPs, same one automagic created outbound-nat for the internal lan.
Now we have issues, they all are about servers don´t see themselves, IMAP-Webmail (Roundcube) doesn´t work, and some similar.

Is there a difference in handling NAT between 1.2.2 and 1.2.3?
And can we do some outbound-NATs "on top" on our normal 1:1-NATs without breaking the pfsense?

Thanks again
dark.fibre

Cry Havok

The difference probably relates to the fact that you now have 2.  Unfortunately with no meaningful details it's hard for anybody to help you.

How about a simple network diagram, showing IP addresses.  We also need details of what you're doing when you say "servers don't see themselves".

Efonnes

There is currently no NAT reflection implementation for 1:1 NAT (one may make its way into 2.0, however).  A workaround currently available is to enable NAT reflection and use port forwards for the ports you want to access, so that it makes NAT reflection rules on those ports.

dark.fibre

Hi,
some more details to our issue:

2 pfsenses in failovermode/CARP
                       |
                       |
                     switch
                       |
                       |
                servers (linux/win)

public Ips 2xx.xxx.xxx via VIP
All servers in lan are in 192.168.114.0

All servers with 1:1 NAT and specific rules,

Problem:
ping or traceroute from a server, say 192.168.114.5 to his public IP or his hostname doesn´t work,
ping or traceroute to any other server in the same subnet or from any other is ok.
This since we changed from one standalone to two carp-pfsenses.

Any other services are well (There are web-/mail-/db-servers).

Hope this helps to help.
dark.fibre

Cry Havok

Does it work if you use only the LAN IP addresses?

For the hosts that do work, are you using a public IP address or hostname when it works?  What is different about the problem hosts?  Are they running a different operating system, have a different default gateway, what?

dark.fibre

ping or trace from one private ip to another: ok
os: some linuxes, win 2003/2008
all have same gateway, ns
all host have the same problem: they cannot see/ping themselve
all hosts can ping/see the others

kpa

If I were you I would set up a split dns and use only dns names for accessing local services, not ip addresses:

http://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F

Cry Havok

So, it's only if they try to access their own public IP or hostname that there's a problem?  If so, what is the problem?  There's no reason for any host to do that in normal operation.

dark.fibre

Hi all,

first: thanks for all answers!

We solved the problem with Split DNS.
@KPA: thanks!!

Why do we need this:
RedDot / OpenText need it for the Backend
Typo3 needs it for search Content and produce some new out of it
IMAP-Client RoundCube needs it for Identification

Once again: thanks for all ideas!!

dark.fibre