• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Outbound NAT not working for OPT interfaces

Scheduled Pinned Locked Moved NAT
17 Posts 3 Posters 13.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • T
    theNADS
    last edited by Oct 20, 2013, 1:48 PM

    Hello,

    It has taken about three years for me to manage to get pfsense installed, but I have finally managed it. Unfortunately, I cannot get it setup now.

    I have 4 NICs on a mini-itx server and the LAN to WAN interface connection is working fine. However, the optional two interfaces just do not let anything through.

    Outbound NAT has been set as follows:

    Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description
    WAN  192.168.32.0/24 * * * WAN address * NO Auto created rule for LAN to WAN
    WAN  192.168.38.0/24 * * * WAN address * NO Auto created rule for WIFI to WAN
    WAN  192.168.40.0/24 * * * WAN address * NO Auto created rule for OPT2 to WAN
    WAN  127.0.0.0/8 * * * WAN address 1024:65535 NO

    and the firewall rules are as follows for each of these subnets:

    Proto Source Port Destination Port Gateway Queue Schedule Description
    IPv4 * LAN net * * * * none
    IPv4 * WIFI net * * * * none
    IPv4 * OPT2 net * * * * none

    The interfaces are all up and I can ping then from the pfsense ssh connection

    Could someone pleaase tell me what I have missed?

    1 Reply Last reply Reply Quote 0
    • M
      marvosa
      last edited by Oct 20, 2013, 2:22 PM

      Just to make sure, which tab did you pull those firewall rules from?

      1 Reply Last reply Reply Quote 0
      • T
        theNADS
        last edited by Oct 20, 2013, 2:46 PM

        The rules are applied to the correct interface

        I have even added individual rules from the system firewall logs and played with the ordering of the rules on each interface, but traffic is still blocked. I just cannot make sense of this.

        All the interfaces are setup the same with private network addresses allowed.

        1 Reply Last reply Reply Quote 0
        • M
          marvosa
          last edited by Oct 20, 2013, 3:09 PM

          Ok, so then just so we're clear, you added the following lines manually to your post and they are not all on the LAN interface correct?:

          Proto  Source  Port  Destination  Port  Gateway  Queue  Schedule  Description
          IPv4 *    LAN net    *    *    *    *    none
          IPv4 *    WIFI net    *    *    *    *    none
          IPv4 *    OPT2 net    *    *    *    *    none

          Let's get traffic flowing first, then worry about restricting access later.  Set your LAN, WIFI and OPT2 to any/any.  i.e. your LAN should have an anti-lockout rule plus an any/any, the other two should have just any/any.  Then reset your states and report back.

          If you can, post a screen shot of your blocks and your routing table.

          1 Reply Last reply Reply Quote 0
          • T
            theNADS
            last edited by Oct 20, 2013, 3:38 PM

            All the firewall rules have been applied to the correct interfaces. I have used Monowall for years so I us understand the basics of this.

            Traffic follows from the LAN (192.168.32.1) to the WAN (192.168.24.254) without issue, but the WIFI or OPT to WAN is a no go.

            I have the basic allow everything to everything on the LAN, WIFI and OPT iterfaces. I am not trying to restrict anything at this stage I am just trying so see if i can get some traffic move thhrough each interface (as you are suggesting). I only added the auto add rules as I am at a loss the know why this does not work.

            All the interfaces are up and shown the correct ip and they must be working because the logs show my ping, dns, ssh, http etc connections are being blocked. I just cannot work out why they are being blocks as everything is allowed!!!

            1 Reply Last reply Reply Quote 0
            • M
              marvosa
              last edited by Oct 20, 2013, 4:11 PM

              Post a pic of the blocks.

              1 Reply Last reply Reply Quote 0
              • T
                theNADS
                last edited by Oct 20, 2013, 4:53 PM

                Not everything shows as being blocked. I can see in /var/log/filter.log a dig google.com is getting blocked:

                Oct 20 16:29:41 gateway pf: 00:00:03.003187 rule 3/0(match): block in on em0: (tos 0x0, ttl 64, id 63826, offset 0, flags [DF], proto UDP (17), length 96)
                Oct 20 16:29:41 gateway pf:    192.168.40.2.33249 > 192.168.40.1.53: 33813+ A? safebrowsing.clients.google.com.googlespy.co.uk. (68)

                1 Reply Last reply Reply Quote 0
                • T
                  theNADS
                  last edited by Oct 20, 2013, 4:55 PM

                  Clipboard01.jpg
                  Clipboard01.jpg_thumb

                  1 Reply Last reply Reply Quote 0
                  • T
                    theNADS
                    last edited by Oct 20, 2013, 5:12 PM

                    I have discovered option 10 on the ssh login menu and everything does seem to be getting blocked regardless of the allow anything rule that has been set.

                    The block private networks setting on the OPT interface in question has been tried checked as well as uncheck and it did not make any difference (it has been left unchecked again now). Resetting the states also did resolve anything.

                    I am running out of ideas now!

                    1 Reply Last reply Reply Quote 0
                    • S
                      Supermule Banned
                      last edited by Oct 20, 2013, 5:18 PM

                      I think he meant the networks blocks and not the firewall blocks….. ;)

                      1 Reply Last reply Reply Quote 0
                      • T
                        theNADS
                        last edited by Oct 20, 2013, 6:14 PM

                        :o

                        WAN 192.168.24.254 (192.168.24.0/24) gw address 192.168.24.1
                        LAN 192.168.32.1  (192.168.32.0/24)
                        WIFI 192.168.38.1  (192.168.38.0/24)
                        OPT 192.168.40.1  (192.168.40.0/24)

                        1 Reply Last reply Reply Quote 0
                        • S
                          Supermule Banned
                          last edited by Oct 20, 2013, 6:38 PM

                          And then you post the pictures of all outbound NAT rules ;)

                          1 Reply Last reply Reply Quote 0
                          • T
                            theNADS
                            last edited by Oct 20, 2013, 7:28 PM

                            The outbound nat rules are as listed in one of my earlier posts. I am not at work anymore so I will post a screen shot in the morning showing that this is the case. I deleted the outbound nat rules before i reset the states. So after switching to auto and then back to manual outbound rules there were a couple of additional rules added that do not randomise ports during NAT. The auto generated rules were also /32 for the opt interfaces so I changed these to a /24 for the opt interface subnets.

                            Essentially outbound  NAT is still as my earlier post.  :-\

                            1 Reply Last reply Reply Quote 0
                            • M
                              marvosa
                              last edited by Oct 20, 2013, 9:48 PM

                              Also the blocks from your screenshot are coming from the "PCI" interface, which you say is OPT2.  Post the firewall rules from all your interfaces.

                              1 Reply Last reply Reply Quote 0
                              • T
                                theNADS
                                last edited by Oct 20, 2013, 11:35 PM

                                I have referred to one of the interfaces as OPT to make the post easier to understand. The two optional interfaces are actually named WIFI and PCI.

                                The interfaces have been set with these names from the begining. I renamed them as soon as I logged in to the wui.

                                The rules for each interface are set exactly as I have mentioned above. The only difference between the rules on the LAN interface and the OPT1/OPT2 or PCI/WIFI interfaces is that the LAN has the anti lock out rule and an ipv6      allow everything everywhere outbound rule. On the OPT1/OPT2 or the PCI/WIFI interfaces I have only added ipv4 rules the that should be allowing everything everywhere outbound. I will post images in the morning.

                                I have also been wondering if the IP address settings on each interface might be incorrect. I think I may have given the OPT1/OPT2 or PCI/WIFI interfaces a 192.168.38.1/32  and a 192.168.40.1/32 IP address/addresses. I might try a /24 on these interfaces in the morning as well!

                                1 Reply Last reply Reply Quote 0
                                • M
                                  marvosa
                                  last edited by Oct 20, 2013, 11:43 PM

                                  Ahhh… yes.... if you gave them a /32 that may be your issue, but we'll see when you check tomorrow.

                                  1 Reply Last reply Reply Quote 0
                                  • T
                                    theNADS
                                    last edited by Oct 21, 2013, 9:36 AM

                                    pfSense is up and running fine now. The /32 setting on the OPT interfaces was the issue!!! A simple balls up that had me completely lost until I had a brain wave last night.

                                    I should have guessed this earlier really. When the outbound NAT rules were autogenerated I kept changing them to NAT the whole subnet rather than just the interface address!!!

                                    This is the issue when you use a forum to ask for help you know you will ultimately look like a numpty when your error is found! Thanks for your assistance anyway it helped me think things through until I realised what the problem was.

                                    1 Reply Last reply Reply Quote 0
                                    1 out of 17
                                    • First post
                                      1/17
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                      This community forum collects and processes your personal information.
                                      consent.not_received