Issues with NAT 1:1 or Port Forward



  • I recently setup pfsense to test if our ASA had some hardware issues.  Basic internal setup was fine everything inside gets DHCP and internet access.  I only added 1 firewall rule to allow external ping on the wan address for some testing of connectivity.

    We use Comcast Business so I set my WAN to XXX.XXX.XXX.161/29 with Gateway of XXX.XXX.XXX.166
    I add a VirtualIP of XXX.XXX.XXX.162/32 as a IP Alias
    I currently have it set as a port forward with the only options touched as Destination used the dropdown for the VIP created .162.  Destination port HTTP.  Redirected target IP and port 192.168.13.10 and 80.
    pfsense auto created a rule for it with settings of PASS/WAN/TCP/Source=any/Destination=192.168.13.10/Port=80.  I went in after and selected the log checkbox.

    If I run a tcpdump on my wan interface I do see that the requests get there from my phone on an external IP.  I don't see anything in filter.log related to my .162 VIP.

    What would be my next step in trouleshooting this do you think?

    Thanks for any help.

    edit: I also had some issues when using 1:1 where my settings were
    WAN/xxx.xxx.xxx.162/InternalI=192.168.13.10/Destination=any

    edit2: Also changed my VIP to have same CIDR as WAN of /29.  no effect

    edit3:

    
    tcpdump output
    [2.0.1-RELEASE][root@pfsense.carousel]/root(2): tcpdump -i em0 -n dst port 80 and dst host xxx.xxx.xxx.162
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes
    11:58:59.511166 IP 174.238.204.20.60714 > xxx.xxx.xxx.80: Flags [s], seq 4192248742, win 5840, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
    11:59:02.511230 IP 174.238.204.20.60714 > xxx.xxx.xxx.80: Flags [s], seq 4192248742, win 5840, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
    11:59:08.511252 IP 174.238.204.20.60714 > xxx.xxx.xxx.80: Flags [s], seq 4192248742, win 5840, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
    
    [2.0.1-RELEASE][root@pfsense.carousel]/root(4): tcpdump -i em1 -n dst port 80 and dst host 192.168.13.10
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on em1, link-type EN10MB (Ethernet), capture size 96 bytes
    
    So the traffic gets to WAN interface but doesnt get NAT'd through it seems
    
    VIP SS attached
    ![VIP.png](/public/_imported_attachments_/1/VIP.png)
    ![VIP.png_thumb](/public/_imported_attachments_/1/VIP.png_thumb)[/s][/s][/s]
    


  • Rules SS




  • NAT SS




  • [2.0.1-RELEASE][root@pfsense.carousel]/root(5): pfctl -s nat
    no nat proto carp all
    nat-anchor "natearly/*" all
    nat-anchor "natrules/*" all
    nat on em0 inet from 192.168.8.0/21 port = isakmp to any port = isakmp -> xxx.xxx.xxx.161 port 500
    nat on em0 inet from 127.0.0.0/8 port = isakmp to any port = isakmp -> xxx.xxx.xxx.161 port 500
    nat on em0 inet from 192.168.8.0/21 to any -> xxx.xxx.xxx.161 port 1024:65535
    nat on em0 inet from 127.0.0.0/8 to any -> xxx.xxx.xxx.161 port 1024:65535
    no rdr proto carp all
    rdr-anchor "relayd/*" all
    rdr-anchor "tftp-proxy/*" all
    rdr on em0 inet proto tcp from any to xxx.xxx.xxx.162 port = http -> 192.168.13.10
    rdr-anchor "miniupnpd" all
    


  • your rules are fine. Add a -e to the tcpdump to ensure the dest MAC address is correct. Then go through the other items:
    http://doc.pfsense.org/index.php/Port_Forward_Troubleshooting



  • Thanks, I had to take it out of active use until I resolve the NAT so will put it back in place and test with that next morning I can get in before rest of office and swap them out.



  • If you're swapping boxes in and out you're likely having problems because of a stale upstream ARP cache, that'll have to be cleared.



  • Looks like it may have been hardware related on the PC side.  Tested a different machine and it seems to be working properly now.


Locked