LAN Hosts can't access NAT Network



  • I have a pfsense gw running 1.2.3-Release on FreeBSD 7.2-RELEASE-p5 i386.
    Got WAN: 212.x.y.174/30, LAN: 10.131.0.0/24 and LAN2: 192.168.0.0/24
    I have a public network - 212.x.y.8/29 with NAT to 212.x.y.174
    I have also placed 1:1 NAT from 212.x.y.12 -> 10.131.0.3 (internal IP of a server)
    When I try to access that server from LAN or LAN2 requests time out.

    What happens is: When I send a ping request from host 10.131.0.22 to 212.x.y.12 and dump the gateway wan interface i get

    
    14:04:36.333806 IP 212.x.y.174 > 212.x.y.12: ICMP echo request, id 5284, seq 5, length 64
    14:04:36.334149 IP 212.x.y.174 > 212.x.y.12: ICMP echo request, id 5284, seq 5, length 64
    14:04:37.341762 IP 212.x.y.174 > 212.x.y.12: ICMP echo request, id 5284, seq 6, length 64
    14:04:37.342084 IP 212.x.y.174 > 212.x.y.12: ICMP echo request, id 5284, seq 6, length 64
    
    

    at the same time I dump the lan interface of the server (10.131.0.3)

    
    14:19:31.694047 IP 212.x.y.174 > 10.131.0.3: ICMP echo request, id 5284, seq 3, length 64
    14:19:31.694114 IP 10.131.0.3 > 212.x.y.174: ICMP echo reply, id 5284, seq 3, length 64
    14:19:32.702506 IP 212.x.y.174 > 10.131.0.3: ICMP echo request, id 5284, seq 4, length 64
    14:19:32.702567 IP 10.131.0.3 > 212.x.y.174: ICMP echo reply, id 5284, seq 4, length 64
    14:19:33.710687 IP 212.x.y.174 > 10.131.0.3: ICMP echo request, id 5284, seq 5, length 64
    14:19:33.710750 IP 10.131.0.3 > 212.x.y.174: ICMP echo reply, id 5284, seq 5, length 64
    14:19:34.718868 IP 212.x.y.174 > 10.131.0.3: ICMP echo request, id 5284, seq 6, length 64
    14:19:34.718934 IP 10.131.0.3 > 212.x.y.174: ICMP echo reply, id 5284, seq 6, length 64
    
    

    and the dump on the LAN interface  gets the reply back from the server

    
    14:16:02.322991 IP 212.x.y.174 > 10.131.0.3: ICMP echo request, id 23468, seq 253, length 64
    14:16:02.324145 IP 10.131.0.3 > 212.x.y.174: ICMP echo reply, id 23468, seq 253, length 64
    14:16:03.322953 IP 212.x.y.174 > 10.131.0.3: ICMP echo request, id 23468, seq 254, length 64
    14:16:03.324874 IP 10.131.0.3 > 212.x.175.y: ICMP echo reply, id 23468, seq 254, length 64
    
    

    But then nothing gets send back to 10.131.0.22 and I can't find anything in the Firewall, that might cause that.

    X ISN'T EQUAL TO Y





  • @GruensFroeschli:

    http://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F

    Method 1

    If you're using 1:1 NAT, you can't use NAT Reflection.

    Mathod 2 is non-usable, because I need direct IP access, not different resolve.

    Method 3

    If you have only a portion of your CIDR block behind pfSense, and you're using 1:1 NAT, you may have a difficult situation. Here's a possible approach you can consider. This may not work, or may work in only some situations.

    And I already tried it with aliases. The forwarding doesn't work with them anyhow.



  • You "could" add normal portforwards for the ports you need on top of the 1:1 NAT to invoke reflection.
    However this only works of you just need a few ports and not whole ranges.



  • @GruensFroeschli:

    You "could" add normal portforwards for the ports you need on top of the 1:1 NAT to invoke reflection.
    However this only works of you just need a few ports and not whole ranges.

    Port forward worked. It is however a temporary fix.



  • Do you really need 1:1 NAT?
    I've made the experience that i never use 1:1 except in cases where i don't control the server.
    And even then… with normal portforwards you can "emulate" the same functionality than 1:1. (normal forward 1-65535, plus outbound rule for the NAT IP)

    Alternatively: since you have a few public IPs.
    You could put the server on it's own interface and bridge it to the WAN
    --> Have the public IP directly on the server itself.



  • @GruensFroeschli:

    Do you really need 1:1 NAT?
    I've made the experience that i never use 1:1 except in cases where i don't control the server.
    And even then… with normal portforwards you can "emulate" the same functionality than 1:1. (normal forward 1-65535, plus outbound rule for the NAT IP)

    Alternatively: since you have a few public IPs.
    You could put the server on it's own interface and bridge it to the WAN
    --> Have the public IP directly on the server itself.

    I thought of that, but then I can't use my firewall and I must set a custom firewall on every server. The port forward seems the only solution, and, honestly, i think it will do :). It's just that we've got some lotus domino servers and they require a lot of ports open and i am too lazy to do it, so i chose the easy way :) 10x for the response.

    P.S.(For anyone wondering what the problem was) NAT is only single-directional and when a internal host tries to access the public IP the packets get forwarded by the gateway to another internal host. The way back is not possible.



  • What do you mean that you then cannot use your firewall in such a case?
    If you bridge two interfaces with pfSense still all firewall rules apply.
    –> if you delete all rules allowing traffic to the server, no traffic will cross the bridge.


Log in to reply