NAT Reflection not working
-
I seem to be banging my head against a wall trying to get NAT Reflection working.
I have a scenario whereby two internal services need to talk to each other via the public URL so I configured a 'NAT: Port Forwarding Rule' as…
Dest: "WAN Address"
Dest Ports: 5443
Redirect: {internal IP}
Redirect Port: 443I then selected 'enable' for NAT Reflection and saved the rule.
From the internal server I ran "openssl s_client -connect {wan ip}:5443" but the connection times out with errno=110. Connections from outside the firewall all operate fine so there is obviously a problem with NAT Reflection.
I then found out that NAT Reflection seemed to be disabled altogether so I unchecked the "Disable NAT Reflection for port forwards" box under System -> Advanced, deleted the NAT rule and recreated it.
As I understand it, if NAT reflection is enabled, additional rules should be created but I can't see these anywhere.
Packet capture on the WAN interface shows nothing for the test connection but on the LAN interface I get the expected packets. States shows the connection as "CLOSED:SYN_SENT" so something is missing but I'm not sure what.
Firmware is at...
2.0.2-RELEASE (amd64)
built on Fri Dec 7 22:39:43 EST 2012
FreeBSD 8.1-RELEASE-p13What have I missed or done wrong?
-
The NAT reflection rules are put in behind the scenes, they aren't visible in the GUI. No need to re-create your rules, they happen automatically.
There may be an issue with the port being different on the outside and the inside, but last time I tried it that did work (but it's been a while).
Post the state table lines (both of them) for the connection. You can obscure the IPs so long as it's noted which are which (client, external, server)
-
Sorry to take so long to respond but I got moved onto something else :(
Unfortunately, there is only one state line related to this connection (please see attached) - shows connection from the internal IP (10.0.1.6) to port 5443 on the external interface.
-
There should always be more than one line, but the other line may be a little more obscure, it wouldn't mention 5443, but probably localhost and a port in the 19000 range. Try it a few more times and then post the full "pfctl -vvss" output. You can send it via PM so you don't need to obscure the info. It would be easier to spot that way. Also would help to see /tmp/rules.debug and /var/etc/inetd.conf
-
Thanks for the feedback.
I am certain that there was nothing else related to the session in the status logs but I could be wrong :)
I will do as you suggest ASAP and post via PM.
Thanls
-
Hi Jimp,
I sent the requested info over last Thursday - was it OK?
All the best
Andrew -
Just been too busy to look at it.
Looks like NAT reflection is not enabled anywhere for port forwards that I see, or else there would be lines in inetd.conf for them, and rules to reflect. Not seeing either one.
-
Thanks for feedback - mostly wanted to make sure you had all you needed at this stage.
So, I am using with webconfigurator to set this up which suggests a fault there. As per the documentation, I enabled NAT Reflection on the NAT rules that needed it but, as you note, nothing in the config other than the allow.
Can you suggest what should I do next?
Thanks
-
Turn on the main NAT reflection option: System > Advanced, Firewall/NAT tab, at the bottom section.
-
OK, thanks for info but doesn't seem to have made a difference but there are three settings and I only tried the first as the second and third say they relate to 1:1 NAT only.
First setting "Disables the automatic creation of additional NAT redirect rules for access to port forwards on your external IP addresses from within your internal networks. Note: Reflection for port forward entries is skipped for ranges larger than 500 ports."
- I tried with it on and off with no difference that I could see in inetd.conf or rules.debug but would I need to delete the rule and rebuild it to make the change effective?
Second setting "Disables the automatic creation of additional NAT 1:1 mappings for access to 1:1 mappings of your external IP addresses from within your internal networks. Note: Reflection for 1:1 NAT might not fully work in certain complex routing scenarios."
- is checked
And third setting "Automatically create outbound NAT rules which assist inbound NAT rules that direct traffic back out to the same subnet it originated from.
Currently only applies to 1:1 NAT rules. Required for full functionality of NAT Reflection for 1:1 NAT."- is not checked
:(
-
uncheck the first box, and set the per-rule nat reflection option back to default.
If the per-rule option is broken in some way, then setting it to anything but default is probably going to break.
-
I just tried a test port forward on a 2.0.3 VM I have here and it worked fine… I can enable it on a per-rule basis or global and it works every time.
You might upgrade to make sure it isn't something that was broken in 2.0.2.
http://forum.pfsense.org/index.php/topic,58203.0.html
-
Hi,
Thanks for the response.
I have upgraded to the 2.0.3 pre-release firmware, deleted and then recreated the rule but still no better as far as I can tell.
Can you post or PM me the entries that I should be expecting to see in the rules.debug and inetd.conf files so I can check my settings?
Thanks
Andrew -
For a WAN port forward going to 123.123.123.162:1234 (on my test VM's LAN subnet)
: cat /var/etc/inetd.conf tftp-proxy dgram udp wait root /usr/libexec/tftp-proxy tftp-proxy -v 19000 stream tcp nowait/0 nobody /usr/bin/nc nc -w 2000 123.123.123.162 1234: grep 1234 /tmp/rules.debug rdr pass on em0 proto tcp from any to 10.20.30.40 port 1234 -> 123.123.123.162 rdr on { em1 enc0 openvpn } proto tcp from any to 10.20.30.40 port 1234 tag PFREFLECT -> 127.0.0.1 port 19000 -
This might be related:
2.0.2-RELEASE (amd64)
built on Fri Dec 7 22:39:43 EST 2012
FreeBSD 8.1-RELEASE-p13NAT reflection comes and goes for me. Sometimes it works, then it will stop. A reboot sometimes fixes it.
Client has a /29 WAN for the usual 6 IPs, plus another 12 aliases, and forward lots of ports. NAT reflection is important.
I added DNS aliases for all the external services, and that mitigates the worst of the problems, but that's a tacky - even cheesy - solution.
I'm not sure what to look for in diagnosing this.
-
http://forum.pfsense.org/index.php/topic,58581.0/topicseen.html
-
Is people seeing this on 32bit builds as well?
-
Thanks for the info - unfortunately, whatever I do the rules are simply not getting set up therefore NAT Reflection doesn't even get a chance to start.
Weird!!
-
OK, the firewall instances I am trying to get working reside in a Virtual Data Centre and are deployed from Release images of pfsense 2.0 and use DHCP for the allocation of WAN IP addresses.
On the chance that creation of the NAT Reflection entries was being prevented by the DHCP setting, I switched on of the firewalls to use a static IP address.
No better - and I rebooted just in case :(
So, other than the settings under System -> Advanced & not using 'enabled' on the NAT rule itself, what else can prevent this being set up?
Digging into the source code, it looks as thought the culprit might be in filter_get_reflection_interfaces() because the WAN interface I am applying the rule to has a Gateway - or am I barking up the wrong tree?
-
Count the number of forwards you're doing, especially including port ranges.
Make sure the total is less than 500.
That was my problem (RTP port range for Jabber = 10,000 forwards, all set for "System Default" reflection). It's rock-solid now.
