Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    1:1 NAT Problem - LAN->WAN=OK, WAN->LAN=OK, LAN->VIP->LAN=BAD

    Scheduled Pinned Locked Moved NAT
    6 Posts 3 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      Hellrazor
      last edited by

      I thought this would be the easiest implementation of a 1:1 configuration I could think of but I guess I was wrong.  :)

      Here's the setup.

      I have 3 WAN addresses:
      10.10.10.1/24
      10.10.10.2/24
      10.10.10.3/24

      I want to map each WAN IP to a LAN IP:
      192.168.1.1/24
      192.168.1.2/24
      192.168.1.3/24

      Such that:
      10.10.10.1/24 = 192.168.1.1/24
      10.10.10.2/24 = 192.168.1.2/24
      10.10.10.3/24 = 192.168.1.3/24

      I created a Virtual IP for each WAN address (PARP):
      10.10.10.1/32
      10.10.10.2/32
      10.10.10.3/32

      I then created a 1:1 NAT rule for each VIP associating the VIP (WAN IP) to the LAN IP.
      10.10.10.1/32 = 192.168.1.1/32
      10.10.10.2/32 = 192.168.1.2/32
      10.10.10.3/32 = 192.168.1.3/32

      The nodes on the LAN can get to the WAN and the WAN can access each LAN node but the LAN nodes can't access each other via the WAN (VIP) address.

      What did I do wrong?

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        try enabling NAT reflection.
        But i'm not sure if this works with 1:1 NAT.

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • H
          Hellrazor
          last edited by

          I turned on NAT Reflection and I still have the same problem.

          It seems to me that pfSense should realize the packets are destined for an address that it is maintaining and simply route that traffic back through the NAT path.

          192.168.1.1->10.10.10.1 (VIP)->192.168.1.1

          Is this a sane thing to do with pfSense?  It seemed straight forward.

          I'm running:
          1.2-RC1
          built on Sat Jul 21 13:42:54 EDT 2007

          Is it possible this works in RC2?

          1 Reply Last reply Reply Quote 0
          • H
            Hellrazor
            last edited by

            Well… I re-installed using 1.2 RC2 and reconfigured everything and I get the same result.

            I can access the LAN node from the WAN and the WAN from the LAN but if I try to access the LAN node via the WAN address (VIP) I get nada.

            I have a WAN rule allowing everything from everywhere. (Wide open)

            Anybody???  Anybody???

            Is this a bug or my ignorance?

            Thanks!

            1 Reply Last reply Reply Quote 0
            • S
              sullrich
              last edited by

              FAQ.  1:1 does not work with reflection.

              Add a manual portforward for the port to enable reflection on it.

              1 Reply Last reply Reply Quote 0
              • H
                Hellrazor
                last edited by

                Ok.  I added a rule to forward port 80 and that works great!  Thanks!

                But I don't know all of the ports that need to be forwarded.  Ideally everything.  I see that reflection is limited to <501 ports.

                Note: Reflection only works on port forward type items and does not work for large ranges > 500 ports.

                Can you recommend a better approach to solving this?

                Thx

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.