Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Upgraded to 2.0.2 - outbound NAT rule disappearing randomly

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    9 Posts 4 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jwelter99
      last edited by

      Hi,

      We have two outbound NAT rules.  One references the firewall public IP as the NAT address, the other references a IP alias on the public interface.

      Randomly the outbound NAT referencing the IP alias will vanish from the WebGUI after working fine for a few days.  The end result is the network range served by the NAT rule loose outbound access until the rule is re-added.

      We are running manual outbound rule generation.  Below are the two rules, it's the 2nd one that will completely be removed randomly.

      This did not occur under 2.0.1 and many many months of the same config running fine.

      WAN   192.168.xx.xx/24 * * * * * NO
      WAN   any * * * 74.xxx.yyy.zzz * NO

      Sorry just realized this should probably be in the NAT forum and not here - can a mod move it?

      1 Reply Last reply Reply Quote 0
      • S
        Supermule Banned
        last edited by

        I am running outbound NAT here as well and no issues as of yet.

        Been running for 10 days right now without problems other than SNORT.

        1 Reply Last reply Reply Quote 0
        • J
          jwelter99
          last edited by

          @Supermule:

          I am running outbound NAT here as well and no issues as of yet.

          Been running for 10 days right now without problems other than SNORT.

          Thanks, are you running pfBlocker by chance?  That is the only package add on we have active.

          1 Reply Last reply Reply Quote 0
          • S
            Supermule Banned
            last edited by

            Yes i do, and its running and blocking as it should.

            Snort makes my last hair dissappear…. :D

            I did a clean install, so no upgrade. Try that and see if it works better.

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              Go to Diag>Backup/restore, Config history tab. There you'll see what user and IP logged in and deleted your outbound NAT rule. :) Seriously, nothing in our code touches outbound NAT, and nothing at all related to that changed in 2.0.2. It's hard to believe how many times I've run into "X config just keeps disappearing and we aren't touching it, why is my firewall broken!!" with customers, when the config history proves some other person there kept logging in and deleting it.

              Reinstalling would be a waste of time regardless.

              1 Reply Last reply Reply Quote 0
              • J
                jwelter99
                last edited by

                @cmb:

                Go to Diag>Backup/restore, Config history tab. There you'll see what user and IP logged in and deleted your outbound NAT rule. :) Seriously, nothing in our code touches outbound NAT, and nothing at all related to that changed in 2.0.2. It's hard to believe how many times I've run into "X config just keeps disappearing and we aren't touching it, why is my firewall broken!!" with customers, when the config history proves some other person there kept logging in and deleting it.

                Reinstalling would be a waste of time regardless.

                Actually it looks like this is only occurring on the backup system, and it's caused by the XMLRPC synch.  On the master we have a 2nd NAT outbound rule that is set to not sync, but it seems like the sync is still wiping out the 2nd rule on the backup.

                firing up a pair of 2.0.1 vm's with the same config and we dont get the problem.

                Perhaps the "do not sync" rule is being ignored in 2.0.2?

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  Is "do not sync" checked on the rule for both master and slave?

                  Why do you have different NAT rules on the master and slave?

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • J
                    jwelter99
                    last edited by

                    @jimp:

                    Is "do not sync" checked on the rule for both master and slave?

                    Why do you have different NAT rules on the master and slave?

                    Yes, "do not sync" is checked on the outbound rule on master and slave.

                    We are dealing with 2 public address spaces so each pfsense has a interface with a public IP in one of the public address spaces, and a IP alias in the 2nd public space.

                    For our legacy traffic to go out on the ip alias public ip's we have a 2nd NAT rule that specifies the IP alias as the NAT address.  For this reason the master and slave each have a separate rule for this.

                    1 Reply Last reply Reply Quote 0
                    • J
                      jwelter99
                      last edited by

                      Did some more testing.

                      If NAT sync is turned on in XMLRPC Sync config the outbound NAT's are synced and any extra rules on the backup, even if the "do not sync" checkbox is set on it, is removed.  If the "do not sync" is set on the master for a outbound rule that rule is not synced, but any additional rules not on the master are removed from the backup.

                      If I turn off NAT sync in the XMLRPC Sync config we dont get the outbound rules being wiped out on the backup.  Obviously we loose the 1:1 and other NAT rules being synced as well.

                      In 2.0.2 perhaps the NAT sync is not evaluating the "do not sync" explicit rule on the backup before removing rules?

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.