NAT Reflection not working on SOME clients after IPv6 tunnel setup



  • Hi!

    I've been using pfSense for quite some time now with this setup:
    pfSense 2.1-RC1 (built on Mon Jul 29 16:20:43 EDT 2013) as a VM on ESXi 5.1 like this: http://imgur.com/WoJB7oJ  (WLAN is my WiFi network)
    The picture is old, there are more VMs on the LAN network now and a third network called OSIF
    LAN is 192.168.0.0/24
    WLAN is 192.168.10.0/24
    OSIF is 192.168.100.0/24

    Now I have a bunch of port forwards: http://imgur.com/0k35JQs

    I also configured NAT Reflection like this: http://imgur.com/bglOnDv

    I have a domain at strato.de which is configured for DynDNS on my WAN IP, lets call that internal.net.

    Everything was working fine on every client/VM, I could access all my portforwards from within using internal.net.

    Yesterday I setup a IPv6 tunnel from he.net using this tutorial: http://doc.pfsense.org/index.php/Using_IPv6_on_2.1_with_a_Tunnel_Broker

    My interfaces now look like this: http://imgur.com/OBFe9mh http://imgur.com/861MtbA

    I gave my Windows 2012 and Linux VMs static IPv6 addresses and both IPv4 and IPv6 is working for them.

    I also opened some ports on the IPv6 tunnel: http://imgur.com/Vloa9es , they work too (well, smpt is blocked by he.net but they work).

    I don't have DHCPv6 OR router advertisments on, so they only get an IPv6 address if I give them a static one.

    Now comes the weird part:
    The both Windows 2012 VM which are in both the LAN and WLAN Network are able to access internal.net (they have static IPv6 addresses on BOTH interfaces (not the same of course)).
    The third Windows 2012 VM, only connected to LAN is NOT able to access internal.net, the connection just times out. This VM has a static IPv6.
    The Linux Mint VM, only connected to LAN is NOT able to access internal.net, the connection just times out. This VM has a static IPv6.
    The Windows 7 VM, only connected to LAN is NOT able to access internal.net, the connection just times out. This VM has a static IPv6.
    My physical Windows 8 PC, connected to LAN is NOT able to access internal.net, the connection just times out. This PC does NOT have a IPv6 address, only link-local.
    My Macbook Pro (10.6.8, Snow Leopard), connected to WLAN is ABLE to access internal.net! This PC also does NOT have a IPv6 address, only link-local.
    My iPhone, also connected to WLAN is also able to access internal.net.
    There is a Ubuntu VM on the OSIF Network which is also able to access internal.net. This VM does not have a IPv6 addess, only link-local.

    It seems that everything only on the LAN interface is not able to use NAT Reflection. It also doesn't work using my WAN IP instead of the domain.

    My Firewall rules for LAN look like this: http://imgur.com/gtJberE For WLAN they are identical, except the anti-lockout rule is not there.

    I also have a IPv6 problem on the WLAN interface, from both Windows 2012 VMs, I can't reach the gateway 2001:470:XXXX:XXXX:2::1
    I got myself a /48 from he.net und properly subnetted LAN and WLAN, IPv6 is now working on both interfaces. NAT Reflection is still only working on every interface except LAN for both IPv4 and IPv6 clients.

    If I disable NET Reflection and try to go to internal.net or to my WAN IP I get to the pfsense login from every internal interface. If I turn it on again, LAN does not work, but WLAN does.

    tl;dr: NAT Reflection is working except for every client on LAN interface.

    Please tell me what I'm doing wrong or if this is a bug or whatever.