Nat reflection stops working after modem reboot



  • *After a random modem reboot.. from my lan I cannot access any internal services using my wan ip
    *from my wan I can access all of my internal services using my wan ip
    *from my lan I can access all of my internal services using their lan ip's

    *I am 95% sure this happened after my modem autorebooted (happens fairly regularly)
    *This happened once before (also after a modem reboot) I fixed it by rebooting my pfsense box
    *I would like to avoid rebooting my pfsense box this time, and in the future

    *from my lan, I can however get to my pfsensebox's webgui and ssh using my wan ip, neither use a nat port forward, just a firewall rule, so I believe this is what is broken.
    *Is there a way to restart the "nat" / "internal nat reflection" service without a reboot?

    Thanks for listening and for your help!


  • Rebel Alliance Developer Netgate

    Does it start working if you press Save on System > Advanced, on the Firewall/NAT tab?

    Also you don't mention what version of pfSense you're running.



  • PFSense 2.0.1 64 bit
    I tried enabling/diabling "Disable NAT Reflection for port forwards" and saving each time and there was no change.

    From my lan, an nmap port scan of my wan ip shows the ports as open (so firewall isn't working)
    But it can't guess protocal so it isn't correctly doing the port forward for people on lan

    I think this means nat reflection somehow stopped working, is there a way to restart just the pfsense service without rebooting my pfsense box?


  • Rebel Alliance Developer Netgate

    Pressing save on the Firewall/NAT tab should have restarted NAT reflection. The only thing it wouldn't do is kill any states that were using NAT reflection.

    Check /tmp/rules.debug for any sign of your old IP, and the states table also.



  • I see a rules.debug and rules.debug.old they seem to be identical. I can diff them if you think I could find something in there. Also my WAN IP never changed. When my modem rebooted it just confuses my PFSense box for a bit (saying WAN IP = 192.168.100.1) but then it reverts back to what it usually is.


  • Rebel Alliance Developer Netgate

    Not sure what could be going wrong there then - are your internal clients trying to connect to the external (public) IP? If that isn't your WAN IP, then pfSense's NAT reflection may not be to blame, it could be something in the modem not working right.



  • not sure the difference between public and wan ip. We've tried domains that resolve to my wanip, and just my strait wan it. nmap from lan show the ports are open, but can't do any scanning past that. nmap from wan works as expected.

    tonight I will try a modem reboot, test, then try a pfsense reboot, and test. I'll post the results.


  • Rebel Alliance Developer Netgate

    From the sound of it you have a setup like this:

    public IP -> Modem -> pfSense WAN 192.168.100.1 -> pfSense -> LAN

    Clients on the LAN connecting to your public IP would be trying to contact the modem. pfSense wouldn't be involved at that stage.

    NAT reflection on pfSense is only in effect when the clients connect to the WAN IP of pfSense. Which they might in a roundabout way in your setup, but that isn't the way NAT reflection usually works.

    I'd suspect something in your modem broke.



  • check the attachment

    I'll check stuff on my modem tonight. Thanks for the help!

    ![Screenshot at 2012-02-07 13:13:55.png](/public/imported_attachments/1/Screenshot at 2012-02-07 13:13:55.png)
    ![Screenshot at 2012-02-07 13:13:55.png_thumb](/public/imported_attachments/1/Screenshot at 2012-02-07 13:13:55.png_thumb)


  • Rebel Alliance Developer Netgate

    Ah but you said earlier "WAN IP = 192.168.100.1" so it threw me off.

    I have seen some other issues come up when a cable modem flip-flops the IP like that



  • ahh sorry bout that, lol. K well I restarted my modem, no change. Restarted my Pfsense box and I can get to my local service using my wan IP again. Though, I could always get to PFSense Webgui / SSH, but they don't require nat


Log in to reply