1:1 NAT not working in outbound direction



  • 1:1 nat question/problem … first, let me make sure i don't have a gross conceptual error. i believe that with a 1:1 nat definition, inbound to public ip goes to internal nat'd host, and outbound from said host appears to come from the external ip in the 1:1 nat definition. if that is indeed correct, here's my setup and problem:

    i'm running a two-node cluster with pfsense 1.0.1, have dual isp, 20+ carp addresses with corresponding 1:1 nats pointing to the appropriate hosts on the inside.  advanced nat is enabled, and i have one global nat per isp configured for the various internal subnets pointing out both isp interfaces (this is to nat all outbound traffic from hosts not configured with 1:1 nats).

    inbound to the carp addresses work fine (uses the 1:1 nat plus an inbound rule). however, each conversation initiated from the internal hosts are being nat'd to the global nat address instead of their respective 1:1 nat address.

    what could cause this? or if i'm off my rocker with regards to what the 1:1 is supposed to provide, how can i achieve this functionality? i attempted to add a specific outbound nat rule but pfsense complained about an overlap with an existing 1:1 nat (which makes sense to me).

    this is causing problems with mail (spf, reverse dns checks, etc.) ... any help will be GREATLY appreciated!



  • Your perception of the functionality of 1:1 NAT is correct.

    Except - advanced outbound NAT overrides that. You don't need AON with multi WAN in 1.2b1 anymore, that was a bug that's been fixed. I would suggest upgrading, then disabling AON, then I believe everything will work as you intend.



  • thanks for the response!

    being that this is a production cluster, i'm not comfortable "upgrading" to a beta yet. is it possible to get the intended results with the 1.0.1 version i'm currently running, while awaiting the 1.2 release?



  • Don't mind the label. You should be less comfortable running 1.0.1, really. You're much more likely to have problems with it (as you're seeing now). Read http://pfsense.blogspot.com for more details.

    You should be able to modify your AON rules to achieve the same effect, just add an additional rule for each IP to map the outbound traffic.



  • i couldn't adjust AON rules to do this, because it complained about an overlap with the 1:1 already specified.

    Free_the_Mallocs talked me into going ahead with 1.2b … i have the primary node updated now and things look like they're working just as they did. i just want to double-check one thing, though ...

    i have multi-wan enabled, and multiple subnets behind the firewall. in AON i have one nat for each internal subnet going to each isp. if i simply disable AON, this will be taken care of automatically? i'm not going to drop any functionality by doing so?



  • yes. it was a bug that's been fixed.



  • hrm … i just turned off AON and re-tested the 1:1 nat outbound. the connection originated from the firewall's ip address, not the carp address which is configured in the 1:1 nat. i also tried editing the 1:1 and re-committing, just in case. no joy.

    what am i missing?





  • The digital signature on this image is invalid.
    This means that the image you uploaded is not an official/supported image and may lead to unexpected behavior or security compromises. Only install images that come from sources that you trust, and make sure that the image has not been tampered with.

    Do you want to install this image anyway (on your own risk)?

    is this expected, or is it a bad download/firmware upload?



  • This is normal.  I cannot sit in front of the snapshot server and sign images 24x7 :)



  • hah! just wanted to make sure … :)



  • no joy … still coming from the firewall's own address. is this really a code issue, or am missing something in my config?



  • Post your 1:1 configuration and the output of 'grep nat /tmp/rules.debug' from a shell.



  • pretty friggin' ugly … i'm only posting the one 1:1 nat i'm testing with, but there are 15. in addition, there are (still) 12 outbound nats (the originals that were required before disabling AON). but despite these, the nat is still tied to the firewall's ip. according to this definition below, the nat should be tied to 72.236.26.50 - when in fact it's being tied to the 208.49.241.xxx (firewall) address.

    TELCOVE 72.236.26.50/32 10.0.0.50/32 extranet 72.236.26.50 <-> 10.0.0.50

    nat-anchor "pftpx/"
    nat-anchor "natearly/
    "
    nat-anchor "natrules/*"
    binat on em2 from 10.1.254.246/32 to any -> 208.49.241.149/32
    binat on em2 from 10.1.254.252/32 to any -> 208.49.241.153/32
    binat on em2 from 192.192.192.124/32 to any -> 208.49.241.154/32
    binat on em1 from 10.0.0.49/32 to any -> 72.236.26.49/32
    binat on em1 from 10.0.0.50/32 to any -> 72.236.26.50/32
    binat on em1 from 192.192.192.46/32 to any -> 72.236.26.134/32
    binat on em1 from 192.192.192.13/32 to any -> 72.236.26.135/32
    binat on em1 from 192.192.192.38/32 to any -> 72.236.26.136/32
    binat on em1 from 192.192.192.37/32 to any -> 72.236.26.141/32
    binat on em1 from 192.192.192.31/32 to any -> 72.236.26.148/32
    binat on em1 from 192.192.192.36/32 to any -> 72.236.26.174/32
    binat on em1 from 192.192.192.11/32 to any -> 72.236.26.176/32
    binat on em1 from 10.0.6.253/32 to any -> 72.236.26.181/32
    binat on em1 from 10.0.6.250/32 to any -> 72.236.26.182/32
    binat on em1 from 192.192.192.189/32 to any -> 72.236.26.189/32
    binat on em2 from 10.1.254.246/32 to any -> 208.49.241.149/32
    binat on em2 from 10.1.254.252/32 to any -> 208.49.241.153/32
    binat on em2 from 192.192.192.124/32 to any -> 208.49.241.154/32
    binat on em1 from 10.0.0.49/32 to any -> 72.236.26.49/32
    binat on em1 from 10.0.0.50/32 to any -> 72.236.26.50/32
    binat on em1 from 192.192.192.46/32 to any -> 72.236.26.134/32
    binat on em1 from 192.192.192.13/32 to any -> 72.236.26.135/32
    binat on em1 from 192.192.192.38/32 to any -> 72.236.26.136/32
    binat on em1 from 192.192.192.37/32 to any -> 72.236.26.141/32
    binat on em1 from 192.192.192.31/32 to any -> 72.236.26.148/32
    binat on em1 from 192.192.192.36/32 to any -> 72.236.26.174/32
    binat on em1 from 192.192.192.11/32 to any -> 72.236.26.176/32
    binat on em1 from 10.0.6.253/32 to any -> 72.236.26.181/32
    binat on em1 from 10.0.6.250/32 to any -> 72.236.26.182/32
    binat on em1 from 192.192.192.189/32 to any -> 72.236.26.189/32
    nat on $wan from 10.0.10.0/24 port 500 to any port 500 -> (em2) port 500
    nat on $wan from 10.0.10.0/24 port 5060 to any port 5060 -> (em2) port 5060
    nat on $wan from 10.0.10.0/24 to any -> (em2)
    nat on $TELCOVE from 10.0.10.0/24 port 500 to any port 500 -> (em1) port 500
    nat on $TELCOVE from 10.0.10.0/24 port 5060 to any port 5060 -> (em1) port 5060
    nat on $TELCOVE from 10.0.10.0/24 to any -> (em1)
    nat on $wan from 10.0.6.0/24 port 500 to any port 500 -> (em2) port 500
    nat on $wan from 10.0.6.0/24 port 5060 to any port 5060 -> (em2) port 5060
    nat on $wan from 10.0.6.0/24 to any -> (em2)
    nat on $TELCOVE from 10.0.6.0/24 port 500 to any port 500 -> (em1) port 500
    nat on $TELCOVE from 10.0.6.0/24 port 5060 to any port 5060 -> (em1) port 5060
    nat on $TELCOVE from 10.0.6.0/24 to any -> (em1)
    nat on $wan from 172.31.255.248/29 port 500 to any port 500 -> (em2) port 500
    nat on $wan from 172.31.255.248/29 port 5060 to any port 5060 -> (em2) port 5060
    nat on $wan from 172.31.255.248/29 to any -> (em2)
    nat on $TELCOVE from 172.31.255.248/29 port 500 to any port 500 -> (em1) port 500
    nat on $TELCOVE from 172.31.255.248/29 port 5060 to any port 5060 -> (em1) port 5060
    nat on $TELCOVE from 172.31.255.248/29 to any -> (em1)
    nat on $wan from 10.0.2.0/24 port 500 to any port 500 -> (em2) port 500
    nat on $wan from 10.0.2.0/24 port 5060 to any port 5060 -> (em2) port 5060
    nat on $wan from 10.0.2.0/24 to any -> (em2)
    nat on $TELCOVE from 10.0.2.0/24 port 500 to any port 500 -> (em1) port 500
    nat on $TELCOVE from 10.0.2.0/24 port 5060 to any port 5060 -> (em1) port 5060
    nat on $TELCOVE from 10.0.2.0/24 to any -> (em1)
    nat on $wan from 10.0.0.0/24 port 500 to any port 500 -> (em2) port 500
    nat on $wan from 10.0.0.0/24 port 5060 to any port 5060 -> (em2) port 5060
    nat on $wan from 10.0.0.0/24 to any -> (em2)
    nat on $TELCOVE from 10.0.0.0/24 port 500 to any port 500 -> (em1) port 500
    nat on $TELCOVE from 10.0.0.0/24 port 5060 to any port 5060 -> (em1) port 5060
    nat on $TELCOVE from 10.0.0.0/24 to any -> (em1)
    nat on $wan from 10.0.11.0/24 port 500 to any port 500 -> (em2) port 500
    nat on $wan from 10.0.11.0/24 port 5060 to any port 5060 -> (em2) port 5060
    nat on $wan from 10.0.11.0/24 to any -> (em2)
    nat on $TELCOVE from 10.0.11.0/24 port 500 to any port 500 -> (em1) port 500
    nat on $TELCOVE from 10.0.11.0/24 port 5060 to any port 5060 -> (em1) port 5060
    nat on $TELCOVE from 10.0.11.0/24 to any -> (em1)
    nat on $wan from 10.0.12.0/24 port 500 to any port 500 -> (em2) port 500
    nat on $wan from 10.0.12.0/24 port 5060 to any port 5060 -> (em2) port 5060
    nat on $wan from 10.0.12.0/24 to any -> (em2)
    nat on $TELCOVE from 10.0.12.0/24 port 500 to any port 500 -> (em1) port 500
    nat on $TELCOVE from 10.0.12.0/24 port 5060 to any port 5060 -> (em1) port 5060
    nat on $TELCOVE from 10.0.12.0/24 to any -> (em1)
    nat on $wan from 10.0.7.0/24 port 500 to any port 500 -> (em2) port 500
    nat on $wan from 10.0.7.0/24 port 5060 to any port 5060 -> (em2) port 5060
    nat on $wan from 10.0.7.0/24 to any -> (em2)
    nat on $TELCOVE from 10.0.7.0/24 port 500 to any port 500 -> (em1) port 500
    nat on $TELCOVE from 10.0.7.0/24 port 5060 to any port 5060 -> (em1) port 5060
    nat on $TELCOVE from 10.0.7.0/24 to any -> (em1)
    nat on $wan from 10.0.8.0/24 port 500 to any port 500 -> (em2) port 500
    nat on $wan from 10.0.8.0/24 port 5060 to any port 5060 -> (em2) port 5060
    nat on $wan from 10.0.8.0/24 to any -> (em2)
    nat on $TELCOVE from 10.0.8.0/24 port 500 to any port 500 -> (em1) port 500
    nat on $TELCOVE from 10.0.8.0/24 port 5060 to any port 5060 -> (em1) port 5060
    nat on $TELCOVE from 10.0.8.0/24 to any -> (em1)
    nat on $wan from 10.0.9.0/24 port 500 to any port 500 -> (em2) port 500
    nat on $wan from 10.0.9.0/24 port 5060 to any port 5060 -> (em2) port 5060
    nat on $wan from 10.0.9.0/24 to any -> (em2)
    nat on $TELCOVE from 10.0.9.0/24 port 500 to any port 500 -> (em1) port 500
    nat on $TELCOVE from 10.0.9.0/24 port 5060 to any port 5060 -> (em1) port 5060
    nat on $TELCOVE from 10.0.9.0/24 to any -> (em1)
    nat on $wan from 10.1.0.0/16 port 500 to any port 500 -> (em2) port 500
    nat on $wan from 10.1.0.0/16 port 5060 to any port 5060 -> (em2) port 5060
    nat on $wan from 10.1.0.0/16 to any -> (em2)
    nat on $TELCOVE from 10.1.0.0/16 port 500 to any port 500 -> (em1) port 500
    nat on $TELCOVE from 10.1.0.0/16 port 5060 to any port 5060 -> (em1) port 5060
    nat on $TELCOVE from 10.1.0.0/16 to any -> (em1)
    nat on $wan from 172.16.0.0/12 port 500 to any port 500 -> (em2) port 500
    nat on $wan from 172.16.0.0/12 port 5060 to any port 5060 -> (em2) port 5060
    nat on $wan from 172.16.0.0/12 to any -> (em2)
    nat on $TELCOVE from 172.16.0.0/12 port 500 to any port 500 -> (em1) port 500
    nat on $TELCOVE from 172.16.0.0/12 port 5060 to any port 5060 -> (em1) port 5060
    nat on $TELCOVE from 172.16.0.0/12 to any -> (em1)
    nat on $wan from 192.168.0.0/16 port 500 to any port 500 -> (em2) port 500
    nat on $wan from 192.168.0.0/16 port 5060 to any port 5060 -> (em2) port 5060
    nat on $wan from 192.168.0.0/16 to any -> (em2)
    nat on $TELCOVE from 192.168.0.0/16 port 500 to any port 500 -> (em1) port 500
    nat on $TELCOVE from 192.168.0.0/16 port 5060 to any port 5060 -> (em1) port 5060
    nat on $TELCOVE from 192.168.0.0/16 to any -> (em1)
    nat on $wan from 192.168.120.0/24 port 500 to any port 500 -> (em2) port 500
    nat on $wan from 192.168.120.0/24 port 5060 to any port 5060 -> (em2) port 5060
    nat on $wan from 192.168.120.0/24 to any -> (em2)
    nat on $TELCOVE from 192.168.120.0/24 port 500 to any port 500 -> (em1) port 500
    nat on $TELCOVE from 192.168.120.0/24 port 5060 to any port 5060 -> (em1) port 5060
    nat on $TELCOVE from 192.168.120.0/24 to any -> (em1)
    nat on $wan from 192.168.255.0/24 port 500 to any port 500 -> (em2) port 500
    nat on $wan from 192.168.255.0/24 port 5060 to any port 5060 -> (em2) port 5060
    nat on $wan from 192.168.255.0/24 to any -> (em2)
    nat on $TELCOVE from 192.168.255.0/24 port 500 to any port 500 -> (em1) port 500
    nat on $TELCOVE from 192.168.255.0/24 port 5060 to any port 5060 -> (em1) port 5060
    nat on $TELCOVE from 192.168.255.0/24 to any -> (em1)
    pass in log quick on $DMZ proto { tcp udp } from <vpnrouterinternal>to any port = 4500 keep state  label "USER_RULE: NAT vpn/ipsec-nat-t"
    pass in log quick on $DMZ proto { tcp udp } from <vpnclientrouterinternal>to any port = 4500 keep state  label "USER_RULE: NAT vpn/ipsec-nat-t"
    pass in log quick on $TELCOVE reply-to (em1 72.236.26.1) proto { tcp udp } from any to <vpnrouterinternal>port = 4500 keep state  label "USER_RULE: NAT vpn/
    ipsec-nat-t"
    pass in log quick on $TELCOVE reply-to (em1 72.236.26.1) proto { tcp udp } from any to <vpnclientrouterinternal>port = 4500 keep state  label "USER_RULE: NA
    T vpn/ipsec-nat-t"
    pass in log quick on $TELCOVE reply-to (em1 72.236.26.1) inet proto icmp from any to <vpnrouterinternal>icmp-type echoreq keep state  label "USER_RULE: NAT
    vpn/ipsec-nat-t"
    pass in log quick on $TELCOVE reply-to (em1 72.236.26.1) inet proto icmp from any to <vpnclientrouterinternal>icmp-type echoreq keep state  label "USER_RULE
    : NAT vpn/ipsec-nat-t"</vpnclientrouterinternal></vpnrouterinternal></vpnclientrouterinternal></vpnrouterinternal></vpnclientrouterinternal></vpnrouterinternal>



  • In the end, i had to re-enable AON. having it disabled (and with the last shown config) broke outbound mail. So as it stands, i'm on the latest snapshot referenced above, two-node pfsense, dual-wan, multiple carp and 1:1 nats, AON enabled. inbound works properly via the 1:1, but outbound connections do NOT.

    any help will be appreciated.



  • okay - pfSense support to the rescue! my biggest issue turned out to have a simple resolution, though the support folks had to dig plenty to find it. while i described a fairly simple scenario, in actuality the config in its entirety was very complex. but pfSense support found the "needle in a stack of needles" (yeah, that was a quote from one of them) and outbound NAT is working correctly now.

    i've grown this complex clustered firewall environment since versions before 1.0-release, and things have changed in the gui and behind the scenes that i didn't catch. just remember that if you have a multi-wan configuration and are using 1:1 nats, each 1:1 nat and corresponding rule must have its gateway set accordingly - otherwise your outbound nat, just like mine, may very well go out the wrong isp network. and that just isn't cool. :) well, perhaps cool but certainly not very useful …

    bravo, guys. you've already made good on this year's support contract.



  • Thanks!  And for the record you have a somewhat complicated network :)


Log in to reply