Advanced Oubound NAT ignoring rules
-
Hello all.
First time poster, long time lurker. I've been using pfsense for over a year now in multiple places with many different configs. I've loved every bit of it so far.
I've run into a problem. I switched my box from an old Celeron 500 to a server-grade dell model that has more horsepower. Aside from that, my configuration has not changed. I'm literally starting this config from scratch with a 2.0 release image. I'm trying to configure it just like the old box, but I'm seeing some weird behavior.
I have 4 interfaces on my box: WAN, LAN, HOST_DMZ, PUBLIC_LAN
I have 5 static IPs from my ISP. The bottom address in the /29 is assigned to the WAN interface. The rest are IP Aliases on the WAN interface. The top address in this range is the gateway out to the internet.
The LAN interface has an IP of 172.16.17.1 with a 24 bit mask
The HOST_DMZ interface has an IP of 172.16.16.1 with a 24 bit mask
The PUBLIC_LAN interface has an IP of 172.16.15.1 with a 24 bit maskWhat I have done in the past is set up manual outbound NAT for specific machines in my DMZ to have their traffic leave via a specific public IP, by selecting that machine's IP with a 32 bit mask as the source and the IP alias I want it to leave on as the translation.
The idea is that I can keep all server-esque machines in a single subnet and just use the manual outbound NAT and port forwards to get the traffic where I want it to go.
When I set the translation address to anything other than 'Interface Address' it stops passing traffic to anywhere but the source subnet and the LAN interface. The only rule I have on the LAN and HOST_DMZ interfaces is an allow * to any rule so I could rule out those as a cause.
If I pick 'Interface address' I can ping out to the internet and also I can ping my cable modem (which is in a 10.1.10.x subnet) through the WAN interface, but as soon as I switch it to the IP alias, it fails to route.
I don't know if it's something in this version, because I've never seen it before. Anyone else seen this kind of behavior?
-
Can you monitor traffic on wan while you ping from internal network and see What ip pfsense is translating?
-
Can you monitor traffic on wan while you ping from internal network and see What ip pfsense is translating?
I don't think it's translating at all. It only allows traffic to pass when I have it set to "Interface Address" so I'm assuming when I pick one of my IP aliases it just doesn't do anything.
I assume you're suggesting I sniff the traffic from the WAN port and see what the source address is with the translation set to the alias?
I'm going nuts trying to figure this out. This is day 2 now, and I have no idea how to get this back up and running. It always worked before- could certain network cards, etc cause this kind of thing?
-
Rule order matters. What order do you have your NAT rules in?
-
Well, just to see if the translations work at all, I deleted all of them except the LAN (172.16.17.0/24) NAT rule. When I have it on "Interface Address" traffic flows out to the internet no problem and going to IP sites shows me coming from that address, but when I pick one of my Ip Aliases instead, it's sudden death: no pings out, no traffic back in.
I've never tried the packet capture. Care to tell me what I'm looking for or what settings to use when doing the capture?
Thanks!!! I really hope I can figure this out.
-
Perhaps your aliases are set incorrectly. What type are you using and what configuration are you using?
-
The IP in the box is the next IP in numerical order up from the IP I have my WAN address set to (which is the lowest address in the /29)
I'm using IP Alias and /32
Is that correct?
-
No, fill up alias with correct netmask.
-
Try it with a proxy arp. The alias is a standard FreeBSD interface alias, I would not use it in this case. You could also try CARP. For CARP, you do want the correct WAN interface netmask. Your netmask on the alias should have been fine, you don't want the WAN mask in that situation. Per the man page:
alias Establish an additional network address for this interface. This
is sometimes useful when changing network numbers, and one wishes
to accept packets addressed to the old interface. If the address
is on the same subnet as the first network address for this
interface, a non-conflicting netmask must be given. Usually
0xffffffff is most appropriate. -
For CARP and IPALIAS, you must use the network mask for your network. So if your WAN is a /26, then that is what you will need to use for your MASK for CARP and IPALIAS.
:) -
Here's an update-
On a hunch (I thought I had already tried this, but I guess not), I went into the interface assignment menu and reassigned my WAN interface to use the onboard NIC (some intel variant) instead of a dc* based card. It immediately began passing traffic. Is the ability to use IP aliases dependent on NIC drivers in some way? I also did not know that I was supposed to use the same CIDR for the aliases as I do for the WAN. I've always just set aliases as a /32, and since that made sense to me and also seemed to function the same, I never thought about it. I switched that also. Now, all the aliases are /27 like my WAN interface address.
I didn't change any rules or anything when it started functioning. I simply swapped interfaces. Really strange- I tore my hair out over it all day, and I don't know why I didn't think to check the hardware, other than the fact that every one of the NICs in this box came out of other working boxes, and the one that "didn't work" came from another PFsense box where it was humming along happily. No ideas what is really going on there.
So, since I'm rather convinced at this point that it is hardware related, I'd like to know what you all use NIC wise and maybe there's a certain NIC that has the best support by BSD or maybe just what people have had luck with. At this point, I'm running with just cards I had sitting around, but I'd like to put all gigabit interfaces in it. I thought about just cruising craigslist and ebay for used intel gig nics. Will (4) gig cards be able to do wirespeed on a 2.6 Xeon with 4 gb ram?
-
Personally I run intel nics. They seem to do the best. On occasion, I run the realtek (when it comes on board), but I don't prefer them. I try to stay away from netgear. All the ones I have ever used just failed. (personal experience only). The old 3c905x line of 3com nics seemed to be a mixed bag. Most worked, but some are old and I don't know whether or not it was age or compatibility.
-
For CARP and IPALIAS, you must use the network mask for your network. So if your WAN is a /26, then that is what you will need to use for your MASK for CARP and IPALIAS.
:)This is correct for CARP, but not for an alias on the same subnet as the Interface. Please look at the man page I quoted above.
-
This man you found is from what freebsd version?
Somewhere in this forum, cmb or jimp told me that alias with /32 netmask is not recommended any more.
I use ip alias as well CARP with correct netmask with no issues.
-
It hasn't changed in quite some time. Here is the 8.1 man:
http://www.freebsd.org/cgi/man.cgi?query=ifconfig&apropos=0&sektion=0&manpath=FreeBSD+8.1-RELEASE&arch=default&format=htmlI got bit by this years back when I was building FreeBSD 4.x firewalls. I haven't used alias IPs in pfSense very much, in 1.x, it required hacking, so I only used them when I had to run different subnets on the same wire. So, truthfully I haven't tried alias IPs on the same subnet for years, but I'd guess they operate the same. Just curious, but what would be the advantages of using an alias to add an IP within the existing WAN subnet over proxy-arp, CARP, etc?
-
First, if you look in the examples, they are using the same subnet mask as the interface. Try it, I bet it will work.
As for any advantages, I don't really know of any. Perhaps someone who uses it more can comment on that. Personally, I see more advantage in CARP. Even if you don't plan on clustering, you might later on. ProxyARP also works better in some situations, especially when you have IPs in different subnets.
-
For IP aliases you can use either /32 or the actual mask on that network, doesn't matter either way if there is another IP on that subnet on the system. If that's the only IP in that subnet on the system, then it must have the actual mask you're using for that network.