NAT reflection still broken???


  • Banned

    Anybody else experiencing problems with NAT reflection on 2.0 beta4?

    I cant get it to work at all. No matter what.

    Running PFSense in a test VM. Latest snap doesnt solve the issue.



  • It works…

    First you need to uncheck the box at Advanced->Firewall/NAT->"Disables the automatic creation of additional NAT redirect rules for access to port forwards on your external IP addresses from within your internal networks."

    Then just set up a port forward and test on your external IP. Note: You can't test that from the ip address the NAT is redirected to though! You need another client of course...


  • Banned

    I have done it all…..even enabled it manually on each port forward.

    No luck....it redirects me to the pf login page with NAT reflection enabled. It looses the packages if not. It has been rebooted.

    Done a clean install asf. No luck....



  • Perhaps it is related to the VM somehow. It is working fine here, just tested it. With latest snap on embedded….


  • Banned

    The VM is running on E1000 nic's …so hardware issues should be of a minimum. And the install shows no errors.  The only thing adapting during install is the installer itself when noticing VMware....



  • Well there must be something there. It is working and others have reported so as well. Did you really try from a different client? Try a web port forward and then try from that other client with http://EXTERNAL_IP and see if that works. That's what I've done.


  • Banned

    Everything is tested on several different clients…. :S

    Thats why it is so frustrating. The only option left, is to change to bare metal and test it on a physical machine......



  • That's what I told u b4 ;)



  • Just tested NAT reflection on the following two builds:

    2.0-BETA4 (amd64)
    built on Tue Dec 21 16:10:15 EST 2010

    and

    2.0-BETA4 (i386)
    built on Tue Dec 21 12:44:54 EST 2010

    Didn't have any trouble with either the i386/amd64 builds and both were running in VMs.


  • Banned

    Which version of Vmware?

    And can you post your VM config in here?

    :)

    @Boolah:

    Just tested NAT reflection on the following two builds:

    2.0-BETA4 (amd64)
    built on Tue Dec 21 16:10:15 EST 2010

    and

    2.0-BETA4 (i386)
    built on Tue Dec 21 12:44:54 EST 2010

    Didn't have any trouble with either the i386/amd64 builds and both were running in VMs.



  • Actually, they were both running in Hyper-V.  I've got VMware Workstation (v7.1.3) which I can test on as well.  Don't have VMs setup for pfSense in VMware, but I'm installing them now and will let you know what I find…


  • Banned

    Thx mate!! Very kind of you :)

    Merry christmas!



  • I only tested the i386 build in VMware, but NAT reflection worked there too.  Below is the VMware config (which is very basic):

    .encoding = "windows-1252"
    config.version = "8"
    virtualHW.version = "7"
    maxvcpus = "4"
    scsi0.present = "TRUE"
    scsi0.virtualDev = "lsilogic"
    memsize = "1024"
    ide0:0.present = "TRUE"
    ide0:0.fileName = "pfSense-000003.vmdk"
    ide1:0.present = "TRUE"
    ide1:0.fileName = "E:\Downloads\pfSense-i386.iso"
    ide1:0.deviceType = "cdrom-image"
    ethernet0.present = "TRUE"
    ethernet0.virtualDev = "e1000"
    ethernet0.wakeOnPcktRcv = "FALSE"
    ethernet0.addressType = "generated"
    usb.present = "TRUE"
    ehci.present = "TRUE"
    svga.autodetect = "FALSE"
    mks.enable3d = "TRUE"
    pciBridge0.present = "TRUE"
    pciBridge4.present = "TRUE"
    pciBridge4.virtualDev = "pcieRootPort"
    pciBridge4.functions = "8"
    pciBridge5.present = "TRUE"
    pciBridge5.virtualDev = "pcieRootPort"
    pciBridge5.functions = "8"
    pciBridge6.present = "TRUE"
    pciBridge6.virtualDev = "pcieRootPort"
    pciBridge6.functions = "8"
    pciBridge7.present = "TRUE"
    pciBridge7.virtualDev = "pcieRootPort"
    pciBridge7.functions = "8"
    vmci0.present = "TRUE"
    roamingVM.exitBehavior = "go"
    displayName = "pfSense"
    guestOS = "freebsd"
    nvram = "pfSense.nvram"
    virtualHW.productCompatibility = "hosted"
    extendedConfigFile = "pfSense.vmxf"
    ethernet1.present = "TRUE"
    ethernet1.virtualDev = "e1000"
    ethernet1.wakeOnPcktRcv = "FALSE"
    ethernet1.addressType = "generated"
    ethernet2.present = "TRUE"
    ethernet2.virtualDev = "e1000"
    ethernet2.wakeOnPcktRcv = "FALSE"
    ethernet2.addressType = "generated"
    ethernet0.generatedAddress = "00:0c:29:08:f9:17"
    ethernet1.generatedAddress = "00:0c:29:08:f9:21"
    ethernet2.generatedAddress = "00:0c:29:08:f9:2b"
    uuid.location = "56 4d a5 1b bd 36 0e ac-db 0f e5 e6 db 08 f9 17"
    uuid.bios = "56 4d a5 1b bd 36 0e ac-db 0f e5 e6 db 08 f9 17"
    cleanShutdown = "TRUE"
    replay.supported = "FALSE"
    replay.filename = ""
    ide0:0.redo = ""
    pciBridge0.pciSlotNumber = "17"
    pciBridge4.pciSlotNumber = "21"
    pciBridge5.pciSlotNumber = "22"
    pciBridge6.pciSlotNumber = "23"
    pciBridge7.pciSlotNumber = "24"
    scsi0.pciSlotNumber = "16"
    usb.pciSlotNumber = "32"
    ethernet0.pciSlotNumber = "33"
    ethernet1.pciSlotNumber = "34"
    ethernet2.pciSlotNumber = "35"
    ehci.pciSlotNumber = "37"
    vmci0.pciSlotNumber = "38"
    vmotion.checkpointFBSize = "134217728"
    ethernet0.generatedAddressOffset = "0"
    ethernet1.generatedAddressOffset = "10"
    ethernet2.generatedAddressOffset = "20"
    vmci0.id = "-620168937"
    ide1:0.autodetect = "TRUE"
    tools.remindInstall = "TRUE"
    sound.present = "FALSE"
    floppy0.present = "FALSE"
    
    

  • Banned

    Thx again :)


  • Banned

    Still not working….updating to latest snapshot 12/23 03:37

    :'(



  • @Supermule:

    No luck….it redirects me to the pf login page with NAT reflection enabled. It looses the packages if not.

    Have you tried with a factory-default config of pfSense (without any packages)?

    What about the target system (that you're redirecting to) - it isn't running a software firewall that might be blocking the traffic?


  • Banned

    Nope…its an ISA. FW it is, but the same config on 1.2.3 runs no issues.

    Funambol sync on the mobiles cannot connect on 2.0 but stops at logging on the mailserver. Running 1.2.3 no issues. Its like the packets never get there.....or they are empty. I havent got a bloody clue of whats wrong....i cant see anything in the logs...nothing is blocked.


  • Banned

    Still broken for me in a totaly clean install. I havent got a bloody clue….............



  • Does anything show up in a packet capture on your LAN interface for the reflected ports?  If not, is it possible that something else is blocking the traffic (like a layer 3 switch)?


  • Banned

    They are both sitting on the same Vswitch and its not L3 capable.


  • Banned

    Nope…..nothing at all.... This is SO weird.....

    @Boolah:

    Does anything show up in a packet capture on your LAN interface for the reflected ports?  If not, is it possible that something else is blocking the traffic (like a layer 3 switch)?



  • It wasn't working for me one time, I did a reinstall on my pfsense box and then it worked… same build and everything. Make sure to play around with nat reflection stuff first before touching any of the packages, that seemed to make it work for me.


  • Banned

    Thx :)  I had it working for a short while yesterday evening, but it broke after a couple of changes to the DNS Forwarder. It is really weird….like it stays down when changed or something has an influence on how it works.

    @jigglywiggly:

    It wasn't working for me one time, I did a reinstall on my pfsense box and then it worked… same build and everything. Make sure to play around with nat reflection stuff first before touching any of the packages, that seemed to make it work for me.



  • I've found that if you enable reflection and have the pfsense web config listening on the same port you as the one you want to connect to (lets say 80 and you have a externally accessible web server running on port 80 too) and you try to connect using your external IP from the internal network, it will connect to the web config.
    Changing the web config port fixes the problem.


  • Banned

    Thx will try that. But in 1.2.3 this is not necessary…..what is stripped from the packages since the PF cannot tell the difference??



  • I've recently noticed NAT reflection is broken on my install (latest BETA5 build).

    Did you find a fix for your install yet?



  • I have noticed this with Beta 4. I am running on physical machine with intel nics and port 1433 was being looped through even though we were using a totally different IP external one that PF didn't know about. So users though they were going to an external SQL server to be re-routed to an internal one.

    Switching off NAT reflection sorted it.

    Never tried it again since.



  • Its most certainly broken in the latest BETA5 build

    I even went to far as to start with a fresh install to make sure there were not any installed packages affecting the issue.

    I'd love to see this fixed, as it was the main reason I chose pfSense over so many other offerings many years ago.



  • It works fine with the latest snap of today (1/13)…

    • System->Advanced->Firewall/NAT->uncheck Disable NAT Reflection for port forwards
    • Add a test NAT rule eg port 80 and forward it to your client running a webserver (in my case 10.0.100.1 on LAN interface)
    • Add a firewall rules to allow that traffic on port 80 to the client
    • Now I tested the connection from a wireless client (172.16.100.5 on my WLAN interface) with http://my_external_ip and it works

    Actually this never stopped working as I've posted before...Of course you can't test that connection from the client itself! (in my case 10.0.100.1)


  • Banned

    Have you tried on domain level?? And not specific IP address??



  • Yes, also tried with my DynDNS name…


Locked