Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT 1:1 on 2.1-RELEASE issue

    Scheduled Pinned Locked Moved NAT
    3 Posts 1 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V Offline
      vielfede
      last edited by

      Hello,
      upgrading to 2.1-RELEASE from 2.1-RC1 I got the following issue
      NAT 1:1  does not work properly:

      • If I try to connect to my nated DMZ mailserver from an host on WAN network, nat works;

      • If i try to connect to it from an external address (e.g. my phone) it does not;

      I digged some more with packet capture and I found out the following
      Packets arrive on WAN interface but they do not on DMZ interface (it seems like they do not traverse the firewall)

      Moreover if I try to connect to Google (http) from DMZ mailserver I can see

      • request packets exiting from NATED ADDRESS (of WAN virtual IP)

      • asnwer packets entering to NATED ADDRESS (of WAN virtual IP)

      but I can not see they (answer packets) on DMZ interface

      Hence routing is Ok, but something goes wrong with nat 1:1 and/or fw traversal from "internet addresses".
      Here is my nat conf (I use manual outbound NAT rules)

      Any idea?
      Thank you in advance
      ![Virutal IP.JPG](/public/imported_attachments/1/Virutal IP.JPG)
      ![Virutal IP.JPG_thumb](/public/imported_attachments/1/Virutal IP.JPG_thumb)
      ![NAT 1-1.JPG](/public/imported_attachments/1/NAT 1-1.JPG)
      ![NAT 1-1.JPG_thumb](/public/imported_attachments/1/NAT 1-1.JPG_thumb)
      ![Outbound 2.1.JPG](/public/imported_attachments/1/Outbound 2.1.JPG)
      ![Outbound 2.1.JPG_thumb](/public/imported_attachments/1/Outbound 2.1.JPG_thumb)

      1 Reply Last reply Reply Quote 0
      • V Offline
        vielfede
        last edited by

        @vielfede:

        Moreover if I try to connect to Google (http) from DMZ mailserver I can see

        • request packets exiting from NATED ADDRESS (of WAN virtual IP)

        • asnwer packets entering to NATED ADDRESS (of WAN virtual IP)

        but I can not see they (answer packets) on DMZ interface

        This is what I mean: my dmz mailserver seems to get nated outside but not inside.
        Packet captures of an connection attempt to google:

        ON DSL interface:
        16:42:21.236894 IP XX.YY.ZZZ.245.1634 > 173.194.35.23.80: tcp 0
        16:42:21.267025 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1634: tcp 0
        16:42:21.487296 IP XX.YY.ZZZ.245.1635 > 173.194.35.23.80: tcp 0
        16:42:21.517592 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1635: tcp 0
        16:42:21.588509 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1634: tcp 0
        16:42:21.828523 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1635: tcp 0
        16:42:22.188522 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1634: tcp 0
        16:42:22.428460 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1635: tcp 0
        16:42:23.388629 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1634: tcp 0
        16:42:23.628438 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1635: tcp 0
        16:42:24.213257 IP XX.YY.ZZZ.245.1634 > 173.194.35.23.80: tcp 0
        16:42:24.242951 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1634: tcp 0
        16:42:24.414444 IP XX.YY.ZZZ.245.1635 > 173.194.35.23.80: tcp 0
        16:42:24.443562 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1635: tcp 0
        16:42:25.790529 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1634: tcp 0
        16:42:26.028500 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1635: tcp 0
        16:42:29.884252 IP XX.YY.ZZZ.245.1636 > 173.194.35.23.80: tcp 0
        16:42:29.914162 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1636: tcp 0

        ON DMZ interface
        16:43:24.180029 IP 10.6.107.2.1645 > 173.194.35.23.80: tcp 0
        16:43:24.265809 IP 10.6.107.2.1646 > 173.194.35.23.80: tcp 0
        16:43:24.430940 IP 10.6.107.2.1647 > 173.194.35.23.80: tcp 0
        16:43:24.475723 IP 10.6.107.2.1648 > 173.194.35.23.80: tcp 0
        16:43:24.518007 IP 10.6.107.2.1649 > 173.194.35.23.80: tcp 0
        16:43:27.180431 IP 10.6.107.2.1645 > 173.194.35.23.80: tcp 0
        16:43:27.281005 IP 10.6.107.2.1646 > 173.194.35.23.80: tcp 0
        16:43:27.381596 IP 10.6.107.2.1647 > 173.194.35.23.80: tcp 0
        16:43:27.482185 IP 10.6.107.2.1648 > 173.194.35.23.80: tcp 0
        16:43:27.482214 IP 10.6.107.2.1649 > 173.194.35.23.80: tcp 0

        10.6.107.2 is Mailserver IP in DMZ
        XX.YY.ZZZ.245 is virtual public IP (nated) on DSL interface
        173.194.35.23 is google

        1 Reply Last reply Reply Quote 0
        • V Offline
          vielfede
          last edited by

          [UPDATE]
          Today I have tested NAT 1:1 on a fresh test (i.e. built from scratch, with just essential things) ( 2.1-RELEASE installation…

          No problems arose!  :-[

          Hence I have begun to search the problem elsewhere...
          So, I went back to test pfsense "production config" and I disabled
          1.Manual outbound NAT: no results

          2.LAN failvorer: no results

          3.default gateway switching:OK!!!!!!!!!!!!!!!! NAT 1:1 works from internet also!!!

          Moreover... I reverted (with config history) to "original" config (before disabling outbound NAT) and now it's still working :o :o :o :o :o :o

          Really a big "mystery"

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.