Natted win-server doesn´t see himself
-
Hello,
I´m not sure which part of the forum is best, so I let it here.There are several servers with some linuxes and some with W2003/2008 server behind a pfsense with failover setup and NAT.
The x-servers can reach or see themselves (ping from console to hostname or public IP), Windows-Servers can´t.
Is that normal or what can i do to let him see himself?
Thanks for all hints.
dark.fibre
-
Search the forum for "NAT reflection", where you'll find a number of threads with the solution - assuming of course that the Windows servers are trying to access them with the public IP addresses.
-
Hi,
thanks for let me look for NAT Reflection.
Let me have a few words more about the issue.We had our setup with ONE pfsense for about 2 years, last was 1.2.2. Last week we changed to a setup with TWO in failover mode, Rel 1.2.3, same rule, same 1:1 NATs, same VIPs, same one automagic created outbound-nat for the internal lan.
Now we have issues, they all are about servers don´t see themselves, IMAP-Webmail (Roundcube) doesn´t work, and some similar.Is there a difference in handling NAT between 1.2.2 and 1.2.3?
And can we do some outbound-NATs "on top" on our normal 1:1-NATs without breaking the pfsense?Thanks again
dark.fibre
-
The difference probably relates to the fact that you now have 2. Unfortunately with no meaningful details it's hard for anybody to help you.
How about a simple network diagram, showing IP addresses. We also need details of what you're doing when you say "servers don't see themselves".
-
There is currently no NAT reflection implementation for 1:1 NAT (one may make its way into 2.0, however). A workaround currently available is to enable NAT reflection and use port forwards for the ports you want to access, so that it makes NAT reflection rules on those ports.
-
Hi,
some more details to our issue:2 pfsenses in failovermode/CARP
|
|
switch
|
|
servers (linux/win)public Ips 2xx.xxx.xxx via VIP
All servers in lan are in 192.168.114.0All servers with 1:1 NAT and specific rules,
Problem:
ping or traceroute from a server, say 192.168.114.5 to his public IP or his hostname doesn´t work,
ping or traceroute to any other server in the same subnet or from any other is ok.
This since we changed from one standalone to two carp-pfsenses.Any other services are well (There are web-/mail-/db-servers).
Hope this helps to help.
dark.fibre
-
Does it work if you use only the LAN IP addresses?
For the hosts that do work, are you using a public IP address or hostname when it works? What is different about the problem hosts? Are they running a different operating system, have a different default gateway, what?
-
ping or trace from one private ip to another: ok
os: some linuxes, win 2003/2008
all have same gateway, ns
all host have the same problem: they cannot see/ping themselve
all hosts can ping/see the others
-
If I were you I would set up a split dns and use only dns names for accessing local services, not ip addresses:
-
So, it's only if they try to access their own public IP or hostname that there's a problem? If so, what is the problem? There's no reason for any host to do that in normal operation.
-
Hi all,
first: thanks for all answers!
We solved the problem with Split DNS.
@KPA: thanks!!Why do we need this:
RedDot / OpenText need it for the Backend
Typo3 needs it for search Content and produce some new out of it
IMAP-Client RoundCube needs it for IdentificationOnce again: thanks for all ideas!!
dark.fibre