Another 1:1 NAT issue…



  • Starting to wonder if there's QA on this release, seems a number of packages either don't work/aren't stable in 2.1, and 1:1 NAT seems to be broken somehow. First it was issues with the Virtual IP's (legitimate, didn't have setting right), but am not sure where I'm going wrong here. It's LITERALLY a 1:1 NAT rule that's breaking the external connection.

    All my VM's are fine internally, since I've enabled just about every NAT forward rule for internal traffic there is. But after about a hour or two of trying to troubleshoot this today I'm at my wit's end. Who can help?

    Backstory, pfsense seemed a bit sluggish on a ALIX box I bought, so I found some old spare hardware and installed it on a old comp, and it works swimmingly! Except for this 1:1 NAT issue. I'm wondering if there's a trend with that? I've even formatted the new pfsense box in attempts to fix the issue. I can plug in to my old pfsense box and get connectivity with the rules enabled, but on the new box with the old box config restored on it, it is broken once again. I apologize for the repetition. Can someone help, please?

    Rules on WAN: https://www.dropbox.com/s/0o8gp776mrar6nt/rules.JPG
    VIP Config: https://www.dropbox.com/s/shhtnl5wesvk16r/vipconfig.JPG
    1:1 NAT rules: https://www.dropbox.com/s/58hef3ula672uq4/11natrule.JPG

    To clarify a bit more, once I enable the rule on the new box, pinging external just… doesn't even attempt. No traceroute, nothing.
    Once I disable the rule, everything works as it should, can ping out via hostname/IP, etc.

    I owe whoever solves this riddle a beer (or your favorite equivalent).

    P.S.
    If you'd like me to create a login on the router for you to take a peek as well, I can. Please just send me a message.

    Edit @9:25PM:
    Still not working, and I've tried removing/readding the 1:1NAT Rule, or VIP... I've tried switching interfaces (which one is WAN/LAN, etc) and no dice. Boggles the mind how it works on one install and is broken on another when in theory they have the same config.

    Edit @10:11PM:
    Reinstalled once more (With gusto!) on the new hardware, clean config, no restored config, configure VIP, still can ping (it doesn't affect the VM yet)... once I assign the 1:1 NAT rule, it breaks again. I'm filing a bug.

    Edit @11:28PM:
    I've reinstalled about 4 times now to reproduce the bug, and it does without fail break. The 1:1 NAT on clean config getting out temporarily must've been a fluke. I tried 2 more times and within seconds, the external connection would break. I'm now back on my ALIX box, and if someone has the time, we can try to troubleshoot this. In the meantime, I'm filing a bug.

    Edit @12:03AM: jimp, I see your bug/feedback on redmine: https://redmine.pfsense.org/issues/3331 Can you go into a bit more detail as to the floating rule you need to create? I created https://redmine.pfsense.org/issues/3346 ... these issues seem related.


  • Rebel Alliance Developer Netgate

    From the looks of your update on Twitter this is working and it was an upstream ARP cache issue.

    The bug you noted that I entered would only break access from a LAN 1:1 IP to another system in the WAN subnet, general access to the Internet is fine in that case. The customer who noted that bug had a server outside the firewall in the WAN subnet and he couldn't communicate with just that one server.