Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Info outbound nat and icmp traffic

    NAT
    1
    1
    1502
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gettons last edited by

      Hi there,

      I have been struggling trying to understand why icmp traffic is not working anymore since I removed the outbound nat on my pfsense box. ( Firewall-Nat-Outbound tab-Manual Outbound NAT rule generation)

      My setup is fairly simple :

      http://img804.imageshack.us/img804/6351/52871307.jpg

      On a default setup ( nat enabled for outbound on PFsense ), HOST1 could access via icmp, tcp, udp HOST2, no problem.
      Then I realized that I didn't need two natS ( on pfsense and on GW which is my provider's modem/router ), so I removed the outbound NAT on PF, keeping the Firewall function though ( which is where pfsense does the magic ).

      Now, I have added a default route on HOST2 and GW so they are aware of the LAN network ( for returning packets ), so far so good. I can access HOST2 via tcp and udp, but not via icmp.

      By doing some analysis using tcpdump I found that:

      1. on PFsense wan and lan I can see echo request going FROM HOST1 to HOST2 ( but not coming back )
      2. on HOST2 I can see echo request and echo reply going to HOST1

      But somewhere in between the packet gets dropped ( I assume before entering the WAN on PFsense )
      Again, with tcp and udp it's fine, so I presume it must be some settings related to the protocol type.
      Configurationwise:

      1. lan can access everything, and traffic established from WAN to LAN is permitted only for few ports, but being this traffic originated from the lan the packet should be granted the access to the lan.

      Funny thing is that pinging the GW it's ok instead. ( it's worth saying that GW is the default gw for PFsense )

      Do you guys have an idea ?

      Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post

      Products

      • Platform Overview
      • TNSR
      • pfSense
      • Appliances

      Services

      • Training
      • Professional Services

      Support

      • Subscription Plans
      • Contact Support
      • Product Lifecycle
      • Documentation

      News

      • Media Coverage
      • Press
      • Events

      Resources

      • Blog
      • FAQ
      • Find a Partner
      • Resource Library
      • Security Information

      Company

      • About Us
      • Careers
      • Partners
      • Contact Us
      • Legal
      Our Mission

      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

      Subscribe to our Newsletter

      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

      © 2021 Rubicon Communications, LLC | Privacy Policy