Traffic from 1:1 NAT dies after going through one router hop



  • Hi all,

    Have a very simple setup.

    Server A (172.16.120.50),               
    Server B (172.16.120.51),
    Bunch of desktops (172.16.120.100 ~ 199)
                  |
                  |
    pfSense FW (LAN=172.16.120.1/24, WAN=x.x.x.52, VIPs=x.x.x.50 & x.x.x.51)
                  |
                  |
    Router (My side: x.x.x.49/28, ISP side: y.y.y.2)
                  |
                  |
    ISP gateway (y.y.y.1)

    With a completely fresh install and without configuring any 1:1 NAT I can get from my desktops and the two servers out to the internet fine. As soon as I configure a 1:1 NAT say for Server 172.16.120.50 <-> x.x.x.50, That server can no longer get to anything past my router. I can ping the router successfully at x.x.x.49 but cannot ping the ISP gateway or get past my router in any way. All other machines on the network can ping the ISP gateway and get to the internet just fine. If I delete the 1:1 NAT that server starts working fine again getting NAT-ed behind the default IP of pfSense.

    Note that with the 1:1 NAT in place I can SSH to my router from the server in question without a problem. Just cannot get routed through it to get over to the other side. When I look at the arp cache of the router the correct IP (the one setup for 1:1 NAT) shows up in there.

    Same thing happens with the other server when I set it up with 172.16.120.51 <-> x.x.x.51 1:1 NAT.

    Just to make sure that the IPs x.x.x.50 and x.x.x.51 weren't getting blocked on my router somehow, I changed the IPs around. Its always the machine that is 1:1 NAT-ed that cannot get past my router. It can get to the router (ping it, SSH it, and telnet to it) and to the other test devices I stuck on the network connecting the router to the firewall but it can not get to anything over to the other side of the router.

    Totally baffled. I suspect it has something to do with the router which is a Linux/slackware box. I started testing pfSense after I was unable to get IPCop to work in the same situation.

    The goal is to make sure that even for the sessions that originate from those servers going out to the internet (like delivering SMTP mail) that I always use .50 and .51 IPs on the public side and not get Many-to-One NAT-ed behind the pfSense's WAN IP.

    So just for sanity sake I should be able to, right out of the box, create a 1:1 NAT for one of my internal machines that points to a valid external virtual IP and be able to get out to the internet from that machine without having to create any additional rules right? Besides I can get to the far side of the firewall/near side of the router from that machine anyway.

    Any suggestions?

    Thanks,

    Shahid



  • could you post screenshots of your firewall rules?
    i suspect you dont have a rule in place that allows troffic from/to the 1:1 VIP



  • Is it both incoming and outgoing traffic that don't work, or just one or the other?

    It sounds like your pfSense configuration is OK, just that there's something wrong with your router.



  • Thanks for the replies. I got it working but I am not sure how. I was sniffing with wireshark and in the midst of my troubleshooting it started working. Did not change anything in the firewall config.

    The router was working correctly as well. It was sending out ICMP packets that were getting a response and the ones that were not getting a response exactly the same way.

    One key thing that I forgot to mention in my original post is that this is a cable connection.

    Since the time the problem mysteriously fixed itself I have tore down the whole setup a couple of times and rebuilt it. And I have been able to reproduce the problem but not with consistency.

    One thing I found that fixes the problem every time is rebooting the cable modem after I am done creating all the VIPs. Any VIP that did not exist when the cable modem was powered up has a random chance of working. But if I reboot the cable modem after creating the IP then it would work every time. I did not sniff the wire to see if the modem was somehow ping sweeping my CIDR block to see which IP is live and which is not. It wouldn't make sense for it to do that.

    In any case, I'll post back if I find anything concrete. Right now my troubleshooting is not conclusive but at least I know how to get it working.

    What a great product BTW. Very impressed.


Log in to reply