NAT Reflection Freezing Up - 2.0.1

  • Hello,

    We just replaced a Sonicwall SOHO3 router with pfsense 2.0.1.  The SOHO3 did transparent NAT reflection to our Zimbra email server using the external IP addressed returned in a FQDN DNS lookup for our mail server's public hostname. All worked great. And, as pfsense touts support for NAT reflection too, I didn't give it a second thought.  I am not doing any 1:1 here either.  I setup all the relevant port forwards, etc., to Zimbra on the internal network (POP3 and IMAP being key).

    Well, all seemed well after pfsense took over. And, for the most part, all worked as billed too. But a few email users called and said that their Outlook email was hanging while retrieving some new mail, and it always hung at about the same %/time. So, I pulled up the web client to Zimbra, and sure enough, the next messages these users were trying to pull down (using POP3) were messages with attachments (200KB to 500KB roughly). And, sure enough, it always seemed to get stuck at about the same % downloaded (a little different % point for the different users - but all at roughly about the same TIME into the message poll).

    Stumped and concerned, I started wondering if something in pfsense was causing this. So, on one user, I decided to switch her Outlook to talk directly to the Zimbra server with the its internal IP address. Wham! Downloaded everything in a flash! Went to another, same result. So, I began to suspect NAT reflection must have something to do with it. Of course, I unchecked "disable NAT reflection" at the very start, as that was an original key point in going with pfsense.

    What do you guys think is going on with NAT reflection here?  Why does it seem to work most of the time but consistently was breaking down at about the same time interval for these users in an attachment download situation? I see the Reflection Timeout field but it is blank and I can find NO reference to it anywhere as to what it does (though I haven't scoured the docs yet). I don't want to have to setup split DNS since I don't see logistical reason NAT reflection should work since, for the most part it does, but having it freeze up like this is going to be a nightmare for us if I can nail it down quickly.



  • Banned

    I have reported NAT reflection issues for a long time, but no one seem to care….

    Something is wrong....

  • Banned

  • YIKES! Now I'm getting a little more concerned. I did set a timeout value to 1800 in hopes that I might see a difference today. But, as the attachment downloads are active and not idle, I'm not sure this will have any effect. It seems to be only on large, fully loaded packets (like in a download) as the sessions that are POPping off run-of-the-mill email messages are doing fine.  And it doesn't happened to everyone that has to pull emails with attachments either. But there is some pattern in these attachements for these users that it is affecting cause it always freezes at about the same point for each.

    That is what made me wonder about packet-payload sizes, etc.  Reminded me of some past times with we had MTU issues with our ISP and a similar behavior was observed (but no reflection involved that time). This was the last thing I thought would bite me. I have used pfsense in other venues for years, so, I am quite familiar with it and that was why I was confident in recommending it replace the Sonicwall.

    Is there some diagnostic/debug level I can invoke under the hood on my pfsense instance and report back here that would help anyone see what the TCP-IP level layers are actually doing during the "freeze up" point???

  • Banned

    I reverted to 1.2.3 to solve the issues on 2.0 and it still runs flawlessly. It even runs on port80 with NAT for the port enabled without issues.

    I didnt see anything beeing logged regarding NAT reflection in 2.0….the packets seemed to be gone completely.

  • @Supermule:

    I have reported NAT reflection issues for a long time, but no one seem to care….

    Something is wrong....

    The only issue I can see that you reported wasn't actually an issue, as far as I can tell.  I see a topic back in March 2011 (which is the most recent month you specifically reported it) where you posted a config from when you were having issues with it in 2.0, but your source ports were configured incorrectly for your port forwards (they should have been set to the default value of "any"), so your port forwards weren't even working in the first place.  For reference, the source option does not even exist for port forwards in 1.2.3, so there is no way for you to get it wrong in that version.  That's why the supposed "same configuration" works in 1.2.3; it is in fact not the same configuration at all because you cannot do that in 1.2.3 unless you manually create and load your own rules file in place of the generated /tmp/rules.debug file.

  • Banned

    Hmmmm….so you say that ext. port range in 1.2.3 is not the same as source ports on 2.0?

  • Supermule: Source address/port is new in 2.0 for port forwards.  External address/port was reworded to destination address/port to distinguish from source.  It means the destination before applying NAT to change the destination.

    jobsoft: As for the issue originally mentioned in this topic, it kind of sounds like a timeout, but it probably couldn't possibly be hitting the timeout.  The default timeout is 2000 seconds (which isn't listed on the settings page for some reason).  I'm not really sure what might be going on here.

  • Hello guys,

    In my search for an answer to our problems I saw this thread. I think we have al similar problem but would you to like qualify if it is the same.

    16 days ago we upgrade to the latest build. (2.0.1, Dec12) We think as of this date we encouter problems with problems connecting to applications behind PFsense. We have a lot of home users who connect to Outlook Web Acces, VNC, RDP, webbased applications.

    • We see connections being initiated but not resulting in a working link. Eg. VNC initiated but no password window. After a second or third try it works. Similar, RDP connection, first try no success and no error, but cancelling and connecting again we have a desktop.
    • Also the webbased app. We see a lot of clicks on a link/url but no immediate response. After a second/third try it works. The app produces graphics and we saw interrupted graphs of outgoing polls

    We didn't experience it before and a thinking to revert back to Kerio firewall….because of these problems. HELP!

    Other problems we can't get to work:

    • Management of a device from home with 1 TCP port and an range of UDP ports. Traffic won't come back from LAN to WAN. Device receives traffic but it's blocked to pass outgoing
    • PASV FTP connections. Also traffic is going to FTpserver but can't get out. All seems ok, but traffic is blocked in PFS.

  • So any way to disable the timeout? I have Bacula server behind pfSense and all the backups (which could very well take even weeks) time out after 2000 seconds when port reflection is used.

    In a rather old thread,1528.15.html I read that timeout should be set to 0 in order to disable it. I did it, but it does not seem to have any effect.

Log in to reply