'TTL exceeded' - 1:1 NAT'd IPs to IPs on bridge after 2.1 upgrade



  • I upgraded from 2.0.x to 2.1-release recently, and almost everything worked fine afterwards… except that I can no longer ping or otherwise communicate from privately-IP'd systems (1:1 NAT'd) with any (public) IPs that are on a bridged interface (DMZ) - I get a 'Time to live exceeded' response from my ISP's gateway IP.

    If I disable the 1:1 NAT so that outgoing traffic sources from pfSense's primary IP, everything works again. (However this is not a long-term solution - I need 1:1 NAT to work.)

    Communications to/from both the 1:1 NAT'd and the bridged systems work just fine from other systems on the internet. I also found that going from bridged to 1:1 NAT'd seems to work fine (i.e. the reverse of my problem).

    I've tried to think of and include all the relevant config bits below;

    Basic Firewall Config:
    ISP's gateway = 78.129.202.1
    bridge0 = WAN + DMZ
    em0 - WAN - 78.129.202.212 /24
    em4 - DMZ
    em2 - LAN - 10.0.0.1 /24

    Ping/traceroute from a 1:1 NAT'd system to a system on/behind bridge0:

    root@yoda.fr3d.org:~ # ping 78.129.202.211
    PING 78.129.202.211 (78.129.202.211) 56(84) bytes of data.
    From 78.129.202.1 icmp_seq=1 Time to live exceeded
    From 78.129.202.1 icmp_seq=2 Time to live exceeded
    
    --- 78.129.202.211 ping statistics ---
    2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 999ms
    root@yoda.fr3d.org:~ # tracert 78.129.202.211
    traceroute to 78.129.202.211 (78.129.202.211), 30 hops max, 40 byte packets
     1  han.starwars.local (10.0.0.1)  0.131 ms  0.100 ms  0.087 ms
     2  78.129.202.1 (78.129.202.1)  1.765 ms  1.738 ms  1.728 ms
     3  78.129.202.1 (78.129.202.1)  1.719 ms  1.821 ms  1.809 ms
     4  78.129.202.1 (78.129.202.1)  2.514 ms  1.643 ms  1.742 ms
    <traceroute continues="" to="" hop="" #30,="" and="" then="" stops=""></traceroute>
    

    1:1 NAT:
    Yoda - 10.0.0.10 <-> 78.129.202.213 (Proxy ARP Virtual IP on WAN/em0)
    (All ports/destinations, no other special configuration directives).

    (Advanced) Outbound NAT:
    There is a default rule for all non-1:1 systems to source from pfSense's primary IP

    Advanced Settings -> NAT reflection:
    Enabled (NAT + Proxy)
    (I have tried changing this to the other two options, to no avail.)

    Port Forwards:
    None configured.

    Firewall rules:
    LAN: Allow all rule
    DMZ: Allow all rule
    WAN: Allow all from 1:1 NAT'd IPs -> any destination

    Anyone got any ideas?

    Thanks in advance :)



  • Hi,

    i can confirm this problem, i also had this when upgrading to 2.1.
    There seems to be one urgent bug inside of pfsense 2.1 regarding this.
    i tried all configurations to fix this also to change some kernel parameter but nothing seemed to help, only to downgrade back to 2.01!

    i could notice thate the outbound settings couldn´t configure /32 subnet but only bigger subnets that would result in confusing when finding the correct outbound ip in case you have multiple ips but need to set outbound for every ip (/32) in my opinion.

    kind regards,
    barnaba


Log in to reply