'TTL exceeded' - 1:1 NAT'd IPs to IPs on bridge after 2.1 upgrade
Fr3d last edited by
I upgraded from 2.0.x to 2.1-release recently, and almost everything worked fine afterwards… except that I can no longer ping or otherwise communicate from privately-IP'd systems (1:1 NAT'd) with any (public) IPs that are on a bridged interface (DMZ) - I get a 'Time to live exceeded' response from my ISP's gateway IP.
If I disable the 1:1 NAT so that outgoing traffic sources from pfSense's primary IP, everything works again. (However this is not a long-term solution - I need 1:1 NAT to work.)
Communications to/from both the 1:1 NAT'd and the bridged systems work just fine from other systems on the internet. I also found that going from bridged to 1:1 NAT'd seems to work fine (i.e. the reverse of my problem).
I've tried to think of and include all the relevant config bits below;
Basic Firewall Config:
ISP's gateway = 18.104.22.168
bridge0 = WAN + DMZ
em0 - WAN - 22.214.171.124 /24
em4 - DMZ
em2 - LAN - 10.0.0.1 /24
Ping/traceroute from a 1:1 NAT'd system to a system on/behind bridge0:
firstname.lastname@example.org:~ # ping 126.96.36.199 PING 188.8.131.52 (184.108.40.206) 56(84) bytes of data. From 220.127.116.11 icmp_seq=1 Time to live exceeded From 18.104.22.168 icmp_seq=2 Time to live exceeded --- 22.214.171.124 ping statistics --- 2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 999ms email@example.com:~ # tracert 126.96.36.199 traceroute to 188.8.131.52 (184.108.40.206), 30 hops max, 40 byte packets 1 han.starwars.local (10.0.0.1) 0.131 ms 0.100 ms 0.087 ms 2 220.127.116.11 (18.104.22.168) 1.765 ms 1.738 ms 1.728 ms 3 22.214.171.124 (126.96.36.199) 1.719 ms 1.821 ms 1.809 ms 4 188.8.131.52 (184.108.40.206) 2.514 ms 1.643 ms 1.742 ms <traceroute continues="" to="" hop="" #30,="" and="" then="" stops=""></traceroute>
Yoda - 10.0.0.10 <-> 220.127.116.11 (Proxy ARP Virtual IP on WAN/em0)
(All ports/destinations, no other special configuration directives).
(Advanced) Outbound NAT:
There is a default rule for all non-1:1 systems to source from pfSense's primary IP
Advanced Settings -> NAT reflection:
Enabled (NAT + Proxy)
(I have tried changing this to the other two options, to no avail.)
LAN: Allow all rule
DMZ: Allow all rule
WAN: Allow all from 1:1 NAT'd IPs -> any destination
Anyone got any ideas?
Thanks in advance :)
barnaba last edited by
i can confirm this problem, i also had this when upgrading to 2.1.
There seems to be one urgent bug inside of pfsense 2.1 regarding this.
i tried all configurations to fix this also to change some kernel parameter but nothing seemed to help, only to downgrade back to 2.01!
i could notice thate the outbound settings couldn´t configure /32 subnet but only bigger subnets that would result in confusing when finding the correct outbound ip in case you have multiple ips but need to set outbound for every ip (/32) in my opinion.