Issues with NAT 1:1 or Port Forward

gumbadio

I recently setup pfsense to test if our ASA had some hardware issues. Basic internal setup was fine everything inside gets DHCP and internet access. I only added 1 firewall rule to allow external ping on the wan address for some testing of connectivity.

We use Comcast Business so I set my WAN to XXX.XXX.XXX.161/29 with Gateway of XXX.XXX.XXX.166
I add a VirtualIP of XXX.XXX.XXX.162/32 as a IP Alias
I currently have it set as a port forward with the only options touched as Destination used the dropdown for the VIP created .162. Destination port HTTP. Redirected target IP and port 192.168.13.10 and 80.
pfsense auto created a rule for it with settings of PASS/WAN/TCP/Source=any/Destination=192.168.13.10/Port=80. I went in after and selected the log checkbox.

If I run a tcpdump on my wan interface I do see that the requests get there from my phone on an external IP. I don't see anything in filter.log related to my .162 VIP.

What would be my next step in trouleshooting this do you think?

Thanks for any help.

edit: I also had some issues when using 1:1 where my settings were
WAN/xxx.xxx.xxx.162/InternalI=192.168.13.10/Destination=any

edit2: Also changed my VIP to have same CIDR as WAN of /29. no effect

edit3:


tcpdump output
[2.0.1-RELEASE][root@pfsense.carousel]/root(2): tcpdump -i em0 -n dst port 80 and dst host xxx.xxx.xxx.162
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes
11:58:59.511166 IP 174.238.204.20.60714 > xxx.xxx.xxx.80: Flags [s], seq 4192248742, win 5840, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
11:59:02.511230 IP 174.238.204.20.60714 > xxx.xxx.xxx.80: Flags [s], seq 4192248742, win 5840, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
11:59:08.511252 IP 174.238.204.20.60714 > xxx.xxx.xxx.80: Flags [s], seq 4192248742, win 5840, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0

[2.0.1-RELEASE][root@pfsense.carousel]/root(4): tcpdump -i em1 -n dst port 80 and dst host 192.168.13.10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 96 bytes

So the traffic gets to WAN interface but doesnt get NAT'd through it seems

VIP SS attached
![VIP.png](/public/_imported_attachments_/1/VIP.png)
![VIP.png_thumb](/public/_imported_attachments_/1/VIP.png_thumb)[/s][/s][/s]

gumbadio

Rules SS

Rules.png_thumb

gumbadio

NAT SS

NAT.png_thumb

gumbadio

[2.0.1-RELEASE][root@pfsense.carousel]/root(5): pfctl -s nat
no nat proto carp all
nat-anchor "natearly/*" all
nat-anchor "natrules/*" all
nat on em0 inet from 192.168.8.0/21 port = isakmp to any port = isakmp -> xxx.xxx.xxx.161 port 500
nat on em0 inet from 127.0.0.0/8 port = isakmp to any port = isakmp -> xxx.xxx.xxx.161 port 500
nat on em0 inet from 192.168.8.0/21 to any -> xxx.xxx.xxx.161 port 1024:65535
nat on em0 inet from 127.0.0.0/8 to any -> xxx.xxx.xxx.161 port 1024:65535
no rdr proto carp all
rdr-anchor "relayd/*" all
rdr-anchor "tftp-proxy/*" all
rdr on em0 inet proto tcp from any to xxx.xxx.xxx.162 port = http -> 192.168.13.10
rdr-anchor "miniupnpd" all

cmb

your rules are fine. Add a -e to the tcpdump to ensure the dest MAC address is correct. Then go through the other items:
http://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

gumbadio

Thanks, I had to take it out of active use until I resolve the NAT so will put it back in place and test with that next morning I can get in before rest of office and swap them out.

cmb

If you're swapping boxes in and out you're likely having problems because of a stale upstream ARP cache, that'll have to be cleared.

gumbadio

Looks like it may have been hardware related on the PC side. Tested a different machine and it seems to be working properly now.