1:1 NAT with IP Alias not working - did in 2.0.1



  • It has been awhile since I've setup 1:1 NAT in pfsense, but in version 2.0.1 I had it working by doing the following:
    (i'll use local address as examples):

    Wan IP: 10.10.10.178 gw: 10.10.10.177 (/28 network)

    Firewall -> Virtual IP -> Add Alias
    10.10.10.182/28

    Then Firewall -> NAT -> 1:1
    add on WAN interface: External IP: 10.10.10.182, internal ip: 10.9.9.2 (pfsense is 10.9.9.1), Destination IP *

    Then Firewall -> Rules -> Add
    IPv4 * * * 10.10.10.182 * * none

    which should allow any IPv4 connection to be passed into the 10.9.9.2 machine.

    From the 10.9.9.2 the outbound nat works (i.e. check my IP and website displays the 10.10.10.182 address).
    But trying to connect to any of the open ports on 10.9.9.2 from the internet does not work! I have no firewall currently running on 10.9.9.2 until i get this working.

    Any ideas? as I said, the above steps used to work.

    I'm on pfsense 2.1-release (i386): nanobsd (2g)
    on an ALIx board.

    Thanks!



  • Unless you are masking your WAN address, WAN has a default block on private ips. Turning this all will help.



  • @podilarius:

    Unless you are masking your WAN address, WAN has a default block on private ips. Turning this all will help.

    As I noted; I changed the IP address on WAN to example numbers for illustration purposes.

    Ideas as to why NAT isn't working on incoming connections?



  • Have you tried changing you VIP type? For instance, if you are using IPAlias, try proxy arp or CARP. If it still doesn't work, try changing it back to IPAlias and restarting. Other than that, it 'looks' likr you have everything else in place for a correct setup. What type of NOC are you using in the system?



  • Tried all the types of VIPs.

    Works fine in Untangle on same connection with different IPs.

    NOC? If you mean monitor; none at the point I'm having issues.  My ISP provides me with a drop point the the colocation i have this running on. I then have a switch that handles splitting to my two different routers (pfsense and untangle).

    I've never assigned the IP to any other device but pfSense (the .182), so shouldn't be a mac issue on the switch. I've tried leaving it now for awhile in case; but still doesn't work.
    Using other IPs in my subnet work via untangle 1:1 but not pfSense :(



  • I meant NIC sorry. I use 1:1 for 95% percent of my stuff at the datacenter. I have 2 drops from my ISP for my FW cluster. Please note that with CARP and IPAlias, you must set the netmask to the same as the interface you are assigning it to. Once you have it set, reboot it. There might be some junk left over from you other attempts. Can you ping the VIP interface (after allowing a rule to do so) from the untangle machine? Please also note that what ever server behind it also must be using pfSense as the default gateway. If it makes it to the server and then goes out untangle, the IPs will not match and it will break communication. This is a split route. Is the LAN and WAN in different subnet (I am assuming that LAN is a private IP range).



  • The NIC is a 10/100 (forget brand: its the ALIx 2d13 embedded system - same as they advertise on this site for a pfSense appliance).

    I've rebooted, but will try again.

    IP Alias has worked in past and I have set to the same network /28.

    System behind is set to use the pfSense box, and all communication is reported at the correct external ip (i.e. visit sites they report the machines IP as the one i've set for it externally. It get communication back etc just fine).
    Its when I try to connect to that machine from an external system that it doesn't appear to get through the pfSense box (even though I have the firewall rule set to do so).

    very strange :(



  • my bad … just noticed it. The rule on your wan in incorrect. it should not be the external address but the internal address.
    NAT rule looks good. instead of:

    *  *  * 10.10.10.182  *  *  none

    it should be:

    *  *  *  10.9.9.2  *  *  none

    It just the way BSD networking works.



  • @podilarius:

    my bad … just noticed it. The rule on your wan in incorrect. it should not be the external address but the internal address.
    NAT rule looks good. instead of:

    *  *  * 10.10.10.182  *  *  none

    it should be:

    *  *  *  10.9.9.2  *  *  none

    It just the way BSD networking works.

    WOW that was it… next time i'll hide my ip by using a fake external address so that these issues are more apparent to people like you who know whats going on :)

    I could have sworn that when I setup IP Alias 1:1 nat in the past I had to use the external address numbers in the destination :(

    Thank you!



  • is there a good place to read up on why the firewall works this way?

    I mean… obviously the 1:1 NAT rule is "executed" first, changing the packet destination to the LAN address while still on the WAN "side" of the firewall.  But that seems strange to me... I would have thought (and did) that the firewall should check the rules first to see if it should even accept a packet, then apply the NAT rules.



  • I looked this up long ago, so I hope my memory serves. Basically, in BSD, the packets get to the kernel and then firewall decides on out to deal with it. So basically you are blocking outgoing connections and not inbound connections. So when you put in a WAN rule, you are putting in an allow out rule to the internal network.
    You will need to google BSD networking/routing/firewalling to get more details.


Log in to reply