'TTL exceeded' - 1:1 NAT'd IPs to IPs on bridge after 2.1 upgrade

  • I upgraded from 2.0.x to 2.1-release recently, and almost everything worked fine afterwards… except that I can no longer ping or otherwise communicate from privately-IP'd systems (1:1 NAT'd) with any (public) IPs that are on a bridged interface (DMZ) - I get a 'Time to live exceeded' response from my ISP's gateway IP.

    If I disable the 1:1 NAT so that outgoing traffic sources from pfSense's primary IP, everything works again. (However this is not a long-term solution - I need 1:1 NAT to work.)

    Communications to/from both the 1:1 NAT'd and the bridged systems work just fine from other systems on the internet. I also found that going from bridged to 1:1 NAT'd seems to work fine (i.e. the reverse of my problem).

    I've tried to think of and include all the relevant config bits below;

    Basic Firewall Config:
    ISP's gateway =
    bridge0 = WAN + DMZ
    em0 - WAN - /24
    em4 - DMZ
    em2 - LAN - /24

    Ping/traceroute from a 1:1 NAT'd system to a system on/behind bridge0:

    root@yoda.fr3d.org:~ # ping
    PING ( 56(84) bytes of data.
    From icmp_seq=1 Time to live exceeded
    From icmp_seq=2 Time to live exceeded
    --- ping statistics ---
    2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 999ms
    root@yoda.fr3d.org:~ # tracert
    traceroute to (, 30 hops max, 40 byte packets
     1  han.starwars.local (  0.131 ms  0.100 ms  0.087 ms
     2 (  1.765 ms  1.738 ms  1.728 ms
     3 (  1.719 ms  1.821 ms  1.809 ms
     4 (  2.514 ms  1.643 ms  1.742 ms
    <traceroute continues="" to="" hop="" #30,="" and="" then="" stops=""></traceroute>

    1:1 NAT:
    Yoda - <-> (Proxy ARP Virtual IP on WAN/em0)
    (All ports/destinations, no other special configuration directives).

    (Advanced) Outbound NAT:
    There is a default rule for all non-1:1 systems to source from pfSense's primary IP

    Advanced Settings -> NAT reflection:
    Enabled (NAT + Proxy)
    (I have tried changing this to the other two options, to no avail.)

    Port Forwards:
    None configured.

    Firewall rules:
    LAN: Allow all rule
    DMZ: Allow all rule
    WAN: Allow all from 1:1 NAT'd IPs -> any destination

    Anyone got any ideas?

    Thanks in advance :)

  • Hi,

    i can confirm this problem, i also had this when upgrading to 2.1.
    There seems to be one urgent bug inside of pfsense 2.1 regarding this.
    i tried all configurations to fix this also to change some kernel parameter but nothing seemed to help, only to downgrade back to 2.01!

    i could notice thate the outbound settings couldn´t configure /32 subnet but only bigger subnets that would result in confusing when finding the correct outbound ip in case you have multiple ips but need to set outbound for every ip (/32) in my opinion.

    kind regards,