[SOLVED] Problem with NAT 1:1 setup on 2.0-RC2, can't connect to servers in DMZ

  • Hi,

    I'm in the process of upgrading my current pfSense 1.2.3 (embedded) firewall, which has been running like a champ for several years, to a 2.0-RC3 (embedded) installation. But, during the migration I've run into issues I can't seem to resolve. I've been beating my head against this for several nights now, reading the forums, reading the pfSense book, and scouring the web for clues, but I can't get it to work and I don't know what I'm doing wrong.

    My network has a WAN (Comcast) with 5 static IPs, a LAN and a DMZ. I've matched all my general settings from my old 1.2.3 box to the new 2.0-RC3 box. On my old setup everything is set up using port forwarding, firewall rules and manual outbound NAT (AON) and it's working just fine. However, for my new set up, I figured I would use 1:1 NAT instead. So, I have configured my 4 additional WAN IPs as VIPs and as ARP Proxy. I have set up port forwarding on my WAN address to a temporary web server for testing, which works well. Additionally, I have configured 1:1 NAT to the four machines I have set up VIPs for and I've configured firewall rules using host and port aliases for each 1:1 NATted server.

    For example:

    IP: 123.456.789.100 /29
    VIPs: 123.456.789.101-104

    IP: /24

    IP: /24

    1:1 NAT Setup:

    Virtual IP
    Type: Proxy ARP
    Interface: WAN
    IP: 123.456.789.101 /32

    1:1 NAT
    Interface: WAN
    External subnet: 123.456.789.101 /32
    Internal subnet:

    Firewall Rule
    Action: Pass
    Interface: WAN
    Protocol: TCP
    Source: ANY
    Destination: Single host or alias, /31
    Dest. port range: HTTP:HTTP

    I've set up VIPs, 1:1 NATs and firewall rules accordingly for all my four servers in the DMZ.

    It seems to me that this should work. However, when I move my Internet connection from the old 1.2.3 box to the new 2.0-RC box, I can't access any of the servers in the DMZ from the outside.

    I've also tried using port forwards, as in my old 1.2.3 setup, but that results in the same issue of not being able to reach the machines.

    Any pointers or comments on my setup would be greatly appreciated.

    Thanks in advance.

  • There is something tricky in your subnets. I see you mentioning a /29 for you WAN, but a /32 for your IP.
    Also a /24 for your DMZ, but a /31 on the IP.
    It might be a good idea to straigthen these out as there might be a problem there.

    Maybe you can create an overview of all your IP ranges and what they have been split in. Or, as a test, make them all the same, for example /29 as is your WAN range.

  • Thanks for the quick response Peter.

    Well, I have a /29 subnet from Comcast, which gives me 5 useable addresses, so that's where I get the /29 from. In regards to the /32 for the IP, I'm simply following the "recommendation," or at least I think I am, on the pfSense 1:1 NAT screen saying:

    Enter the external (WAN) subnet for the 1:1 mapping. You may map single IP addresses by specifying a /32 subnet.

    So that's how I came about the /32.

    As for my /24 internal subnets, in my DMZ I have more than 5 servers, so I need more than a /29 there. I might not need a full /24, but that's just how I did it. I could shrink that, but unless I'm told it's a really bad idea to have a full /24, I'd like to stick with my /24 in the DMZ in the interest of not having to redo everything.

    As for my WAN to DMZ mappings, this is pretty much how I had envisioned it on the new 2.0-RC3 firewall:

    WAN subnet ID:  123.456.789.97 /29
    WAN gateway:    123.456.789.102
    DMZ subnet: /24
    WAN IP:   123.456.789.97   ->  Port forward  ->  various services
     VIP 1:   123.456.789.98   ->  1:1 NAT  ->  DMZ:
     VIP 2:   123.456.789.99   ->  1:1 NAT  ->  DMZ:
     VIP 3:   123.456.789.100  ->  1:1 NAT  ->  DMZ:
     VIP 4:   123.456.789.101  ->  1:A NAT  ->  DMZ:

    … along with the proper firewall rules for the appropriate hosts and ports (as aliases) for the different application servers.

    Right now, on my 1.2.3 firewall I have the above set up and functioning just the way I want it, but I'm using port forwarding for all the servers, together with some Manual Outbound NAT. For the 2.0 installation, I figured using 1:1 NATting would be a little cleaner. Like I said, though, I have also tried to set it up with just port forwarding on the 2.0 unit, but I still have the same problems as with the 1:1 setup. And, I prefer the 1:1 setup ... I think.

    Any thoughts on that? Thanks!

  • Have you tried with all together(port forward + 1:1nat + manual outbound nat)?
    Try with that way, thats how i got my box to work, and also i used carp vips.

  • No, I haven't. I thought it was either port forward or 1:1? ???  I thought you couldn't use both on the same interface? At least I know that didn't use to work on 1.2.3. I tried it in 1.2.3 and it completely broke Internet access from any machine I used that combination for.

  • I can't say for everybody, but it just worked with my setup™ ;)

  • Alright, I don't have this sorted out just yet, but having looked through the forums, I now think I know what the problem is and if I'm correct, it's not at all pfSense's fault … or necessarily my lack of understanding either. Most likely it's Comcast's ARP cache not being flushed. Here are some threads that I think explain my pain:


    As pointed out in one of the posts, I'm not getting any hits looking at my packet captures. (I thought that was really strange.) Also, having thrown another machine in there, other than the two main, and most important, machines I was testing with, it turns out the new server on a separate IP is actually working. So, as far as I can tell at this point, the pfSense 2.0 box is working as it should. It's just the ARP cache upstream that's messing with me.

    I'll post back here again when I've switched over again and spoken to Comcast tech support to see if they can clear the ARP cache for me.

    Thanks to everyone who responded. I hope this will help someone else.

  • Indeed, it was the ARP cache on the Comcast end. I'm now happily upgraded to pfSense 2.0-RC3!

    Thanks again, and major thanks to the awesome pfSense team.

  • Nice to hear that you got it solved

Log in to reply