Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] Problem with NAT 1:1 setup on 2.0-RC2, can't connect to servers in DMZ

    Scheduled Pinned Locked Moved NAT
    9 Posts 3 Posters 6.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mlanner
      last edited by

      Hi,

      I'm in the process of upgrading my current pfSense 1.2.3 (embedded) firewall, which has been running like a champ for several years, to a 2.0-RC3 (embedded) installation. But, during the migration I've run into issues I can't seem to resolve. I've been beating my head against this for several nights now, reading the forums, reading the pfSense book, and scouring the web for clues, but I can't get it to work and I don't know what I'm doing wrong.

      My network has a WAN (Comcast) with 5 static IPs, a LAN and a DMZ. I've matched all my general settings from my old 1.2.3 box to the new 2.0-RC3 box. On my old setup everything is set up using port forwarding, firewall rules and manual outbound NAT (AON) and it's working just fine. However, for my new set up, I figured I would use 1:1 NAT instead. So, I have configured my 4 additional WAN IPs as VIPs and as ARP Proxy. I have set up port forwarding on my WAN address to a temporary web server for testing, which works well. Additionally, I have configured 1:1 NAT to the four machines I have set up VIPs for and I've configured firewall rules using host and port aliases for each 1:1 NATted server.

      For example:

      WAN
      IP: 123.456.789.100 /29
      VIPs: 123.456.789.101-104

      LAN
      IP: 192.168.1.0 /24

      DMZ
      IP: 192.168.10.0 /24

      1:1 NAT Setup:

      Virtual IP
      Type: Proxy ARP
      Interface: WAN
      IP: 123.456.789.101 /32

      1:1 NAT
      Interface: WAN
      External subnet: 123.456.789.101 /32
      Internal subnet: 192.168.10.101

      Firewall Rule
      Action: Pass
      Interface: WAN
      Protocol: TCP
      Source: ANY
      Destination: Single host or alias, 192.168.10.101 /31
      Dest. port range: HTTP:HTTP

      I've set up VIPs, 1:1 NATs and firewall rules accordingly for all my four servers in the DMZ.

      It seems to me that this should work. However, when I move my Internet connection from the old 1.2.3 box to the new 2.0-RC box, I can't access any of the servers in the DMZ from the outside.

      I've also tried using port forwards, as in my old 1.2.3 setup, but that results in the same issue of not being able to reach the machines.

      Any pointers or comments on my setup would be greatly appreciated.

      Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • P
        pvdleek
        last edited by

        There is something tricky in your subnets. I see you mentioning a /29 for you WAN, but a /32 for your IP.
        Also a /24 for your DMZ, but a /31 on the IP.
        It might be a good idea to straigthen these out as there might be a problem there.

        Maybe you can create an overview of all your IP ranges and what they have been split in. Or, as a test, make them all the same, for example /29 as is your WAN range.

        Kind regards,
        Peter van der Leek

        1 Reply Last reply Reply Quote 0
        • M
          mlanner
          last edited by

          Thanks for the quick response Peter.

          Well, I have a /29 subnet from Comcast, which gives me 5 useable addresses, so that's where I get the /29 from. In regards to the /32 for the IP, I'm simply following the "recommendation," or at least I think I am, on the pfSense 1:1 NAT screen saying:

          Enter the external (WAN) subnet for the 1:1 mapping. You may map single IP addresses by specifying a /32 subnet.

          So that's how I came about the /32.

          As for my /24 internal subnets, in my DMZ I have more than 5 servers, so I need more than a /29 there. I might not need a full /24, but that's just how I did it. I could shrink that, but unless I'm told it's a really bad idea to have a full /24, I'd like to stick with my /24 in the DMZ in the interest of not having to redo everything.

          As for my WAN to DMZ mappings, this is pretty much how I had envisioned it on the new 2.0-RC3 firewall:

          
          WAN subnet ID:  123.456.789.97 /29
          WAN gateway:    123.456.789.102
          DMZ subnet:     192.168.10.0 /24
          
          WAN IP:   123.456.789.97   ->  Port forward  ->  various services
           VIP 1:   123.456.789.98   ->  1:1 NAT  ->  DMZ: 192.168.10.11
           VIP 2:   123.456.789.99   ->  1:1 NAT  ->  DMZ: 192.168.10.12
           VIP 3:   123.456.789.100  ->  1:1 NAT  ->  DMZ: 192.168.10.13
           VIP 4:   123.456.789.101  ->  1:A NAT  ->  DMZ: 192.168.10.14
          
          

          … along with the proper firewall rules for the appropriate hosts and ports (as aliases) for the different application servers.

          Right now, on my 1.2.3 firewall I have the above set up and functioning just the way I want it, but I'm using port forwarding for all the servers, together with some Manual Outbound NAT. For the 2.0 installation, I figured using 1:1 NATting would be a little cleaner. Like I said, though, I have also tried to set it up with just port forwarding on the 2.0 unit, but I still have the same problems as with the 1:1 setup. And, I prefer the 1:1 setup ... I think.

          Any thoughts on that? Thanks!

          1 Reply Last reply Reply Quote 0
          • M
            Metu69salemi
            last edited by

            Have you tried with all together(port forward + 1:1nat + manual outbound nat)?
            Try with that way, thats how i got my box to work, and also i used carp vips.

            1 Reply Last reply Reply Quote 0
            • M
              mlanner
              last edited by

              No, I haven't. I thought it was either port forward or 1:1? ???  I thought you couldn't use both on the same interface? At least I know that didn't use to work on 1.2.3. I tried it in 1.2.3 and it completely broke Internet access from any machine I used that combination for.

              1 Reply Last reply Reply Quote 0
              • M
                Metu69salemi
                last edited by

                I can't say for everybody, but it just worked with my setup™ ;)

                1 Reply Last reply Reply Quote 0
                • M
                  mlanner
                  last edited by

                  Alright, I don't have this sorted out just yet, but having looked through the forums, I now think I know what the problem is and if I'm correct, it's not at all pfSense's fault … or necessarily my lack of understanding either. Most likely it's Comcast's ARP cache not being flushed. Here are some threads that I think explain my pain:

                  http://forum.pfsense.org/index.php/topic,37760.msg194910.html#msg194910
                  http://forum.pfsense.org/index.php/topic,37637.0.html
                  http://forum.pfsense.org/index.php/topic,15440.0.html

                  As pointed out in one of the posts, I'm not getting any hits looking at my packet captures. (I thought that was really strange.) Also, having thrown another machine in there, other than the two main, and most important, machines I was testing with, it turns out the new server on a separate IP is actually working. So, as far as I can tell at this point, the pfSense 2.0 box is working as it should. It's just the ARP cache upstream that's messing with me.

                  I'll post back here again when I've switched over again and spoken to Comcast tech support to see if they can clear the ARP cache for me.

                  Thanks to everyone who responded. I hope this will help someone else.

                  1 Reply Last reply Reply Quote 0
                  • M
                    mlanner
                    last edited by

                    Indeed, it was the ARP cache on the Comcast end. I'm now happily upgraded to pfSense 2.0-RC3!

                    Thanks again, and major thanks to the awesome pfSense team.

                    1 Reply Last reply Reply Quote 0
                    • M
                      Metu69salemi
                      last edited by

                      Nice to hear that you got it solved

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.