1:1 NAT on FreeBSD 8.1-RELEASE-p6 | esxi 5….

  • Hi all,

    Looking for some info here.  Im having an intermittent problem where I am using pfsense release 8.1-RELEASE-p6 in VM's on esxi 5.  On some occasions 1:1 NAT seems to work fine, other times it does not.  The configurations are identical in each case (minus the VIP and public IP used).

    The machines are using E1000 virtual adapters, all other aspects seem to be fine (general rule filtering etc).  Even port forwarding works with no problems.  The issue seems to be specific to 1:1 NAT rules created.

    Has anyone experienced problems with this configuration or had similar issues?  I can find no variables between those pfsense instances that will work and those that will not.  Bit lost at the moment so any input would be appreciated folks.



  • i have the exact same configuration and zero problem. specify what problems you're having exactly and post your nat tables

  • Hey guys,

    Sorry meant to get back to you - finally this one out.  Turns out that several stale MAC addresses on indirectly connected Cisco switches proved to be the issue (this would have been caused via my inter-vlan routing configuration).

    Basically the pfsense instances having the problem were arping out for the administratively defined gateway.  These ip addresses were once in use on another portion of my network - the old MAC addresses were therefore still present in some (not all) of the multi-layer switches.  As a result, the virtual MAC of the gateway that the problem pfsense instances were seeing was forever changing (at least once a second as I found it in the pfsense logs).  Flushing the arp tables on the connecting switches and bringing the gateways back into the configuration with a new virtual mac address resolved the issues noted at the firewall layer. :-)

    I'm not sure at face value without testing but I guess the same problem could arise if you aren't careful with an HSRP/VRRP configuration to be used for a pfsense gateway (since the likes of HSRP uses virtual MACS also).  Just a wee heads-up for anyone that might find it useful!



Log in to reply