'TTL exceeded' - 1:1 NAT'd IPs to IPs on bridge after 2.1 upgrade
-
I upgraded from 2.0.x to 2.1-release recently, and almost everything worked fine afterwards… except that I can no longer ping or otherwise communicate from privately-IP'd systems (1:1 NAT'd) with any (public) IPs that are on a bridged interface (DMZ) - I get a 'Time to live exceeded' response from my ISP's gateway IP.
If I disable the 1:1 NAT so that outgoing traffic sources from pfSense's primary IP, everything works again. (However this is not a long-term solution - I need 1:1 NAT to work.)
Communications to/from both the 1:1 NAT'd and the bridged systems work just fine from other systems on the internet. I also found that going from bridged to 1:1 NAT'd seems to work fine (i.e. the reverse of my problem).
I've tried to think of and include all the relevant config bits below;
Basic Firewall Config:
ISP's gateway = 78.129.202.1
bridge0 = WAN + DMZ
em0 - WAN - 78.129.202.212 /24
em4 - DMZ
em2 - LAN - 10.0.0.1 /24Ping/traceroute from a 1:1 NAT'd system to a system on/behind bridge0:
root@yoda.fr3d.org:~ # ping 78.129.202.211 PING 78.129.202.211 (78.129.202.211) 56(84) bytes of data. From 78.129.202.1 icmp_seq=1 Time to live exceeded From 78.129.202.1 icmp_seq=2 Time to live exceeded --- 78.129.202.211 ping statistics --- 2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 999ms root@yoda.fr3d.org:~ # tracert 78.129.202.211 traceroute to 78.129.202.211 (78.129.202.211), 30 hops max, 40 byte packets 1 han.starwars.local (10.0.0.1) 0.131 ms 0.100 ms 0.087 ms 2 78.129.202.1 (78.129.202.1) 1.765 ms 1.738 ms 1.728 ms 3 78.129.202.1 (78.129.202.1) 1.719 ms 1.821 ms 1.809 ms 4 78.129.202.1 (78.129.202.1) 2.514 ms 1.643 ms 1.742 ms <traceroute continues="" to="" hop="" #30,="" and="" then="" stops=""></traceroute>
1:1 NAT:
Yoda - 10.0.0.10 <-> 78.129.202.213 (Proxy ARP Virtual IP on WAN/em0)
(All ports/destinations, no other special configuration directives).(Advanced) Outbound NAT:
There is a default rule for all non-1:1 systems to source from pfSense's primary IPAdvanced Settings -> NAT reflection:
Enabled (NAT + Proxy)
(I have tried changing this to the other two options, to no avail.)Port Forwards:
None configured.Firewall rules:
LAN: Allow all rule
DMZ: Allow all rule
WAN: Allow all from 1:1 NAT'd IPs -> any destinationAnyone got any ideas?
Thanks in advance :)
-
Hi,
i can confirm this problem, i also had this when upgrading to 2.1.
There seems to be one urgent bug inside of pfsense 2.1 regarding this.
i tried all configurations to fix this also to change some kernel parameter but nothing seemed to help, only to downgrade back to 2.01!i could notice thate the outbound settings couldn´t configure /32 subnet but only bigger subnets that would result in confusing when finding the correct outbound ip in case you have multiple ips but need to set outbound for every ip (/32) in my opinion.
kind regards,
barnaba