NAT specific port to different virtual IP not working?

cburns · Apr 20, 2011, 8:31 AM

im trying to do outbund nat from my internal smtp gateway to using its own virtual wan ip (carp)
The problem is that the later rule for general outbound nat for the serverlan takes precedence…

$ pfctl -s nat
nat-anchor "natearly/" all
nat-anchor "natrules/" all
nat on em4 inet from 10.0.3.92 to any port = smtp -> x.x.152.181 port 25 <--- Not working, it turns into x.x.152.185 when it talks port 25 to the internet
nat on em4 inet from 10.0.242.0/24 to any -> x.x.152.181 static-port
nat on em4 inet from 10.0.2.0/23 to any -> x.x.152.185 port 1024:65535 <--- this one seems to take precedence?
nat on em4 inet from 10.0.0.0/24 to any -> x.x.152.179 port 1024:65535

Is the order wrong? I thought that it was based on a first match basis?
Any insights to this is appreciated :)

Im running 2.0rc1 build april 18

Cheers

jimp · Apr 21, 2011, 6:12 PM

Look at Diagnostics > States the next time you try a connection, and post what the state for the connection in question looks like.

It is first-match-wins, but something may not be matching that rule.

cburns · Apr 22, 2011, 7:12 PM

Thanks for the tip. Seemed to be something with the inbound NAT rule that messed it up… Had source port range defined and for some reason that messed up the outbound NAT
Anywho problem solved now, thanks :)