1:1 NAT with IP Alias not working - did in 2.0.1
-
Unless you are masking your WAN address, WAN has a default block on private ips. Turning this all will help.
-
Unless you are masking your WAN address, WAN has a default block on private ips. Turning this all will help.
As I noted; I changed the IP address on WAN to example numbers for illustration purposes.
Ideas as to why NAT isn't working on incoming connections?
-
Have you tried changing you VIP type? For instance, if you are using IPAlias, try proxy arp or CARP. If it still doesn't work, try changing it back to IPAlias and restarting. Other than that, it 'looks' likr you have everything else in place for a correct setup. What type of NOC are you using in the system?
-
Tried all the types of VIPs.
Works fine in Untangle on same connection with different IPs.
NOC? If you mean monitor; none at the point I'm having issues. My ISP provides me with a drop point the the colocation i have this running on. I then have a switch that handles splitting to my two different routers (pfsense and untangle).
I've never assigned the IP to any other device but pfSense (the .182), so shouldn't be a mac issue on the switch. I've tried leaving it now for awhile in case; but still doesn't work.
Using other IPs in my subnet work via untangle 1:1 but not pfSense :( -
I meant NIC sorry. I use 1:1 for 95% percent of my stuff at the datacenter. I have 2 drops from my ISP for my FW cluster. Please note that with CARP and IPAlias, you must set the netmask to the same as the interface you are assigning it to. Once you have it set, reboot it. There might be some junk left over from you other attempts. Can you ping the VIP interface (after allowing a rule to do so) from the untangle machine? Please also note that what ever server behind it also must be using pfSense as the default gateway. If it makes it to the server and then goes out untangle, the IPs will not match and it will break communication. This is a split route. Is the LAN and WAN in different subnet (I am assuming that LAN is a private IP range).
-
The NIC is a 10/100 (forget brand: its the ALIx 2d13 embedded system - same as they advertise on this site for a pfSense appliance).
I've rebooted, but will try again.
IP Alias has worked in past and I have set to the same network /28.
System behind is set to use the pfSense box, and all communication is reported at the correct external ip (i.e. visit sites they report the machines IP as the one i've set for it externally. It get communication back etc just fine).
Its when I try to connect to that machine from an external system that it doesn't appear to get through the pfSense box (even though I have the firewall rule set to do so).very strange :(
-
my bad … just noticed it. The rule on your wan in incorrect. it should not be the external address but the internal address.
NAT rule looks good. instead of:* * * 10.10.10.182 * * none
it should be:
* * * 10.9.9.2 * * none
It just the way BSD networking works.
-
my bad … just noticed it. The rule on your wan in incorrect. it should not be the external address but the internal address.
NAT rule looks good. instead of:* * * 10.10.10.182 * * none
it should be:
* * * 10.9.9.2 * * none
It just the way BSD networking works.
WOW that was it… next time i'll hide my ip by using a fake external address so that these issues are more apparent to people like you who know whats going on :)
I could have sworn that when I setup IP Alias 1:1 nat in the past I had to use the external address numbers in the destination :(
Thank you!
-
is there a good place to read up on why the firewall works this way?
I mean… obviously the 1:1 NAT rule is "executed" first, changing the packet destination to the LAN address while still on the WAN "side" of the firewall. But that seems strange to me... I would have thought (and did) that the firewall should check the rules first to see if it should even accept a packet, then apply the NAT rules.
-
I looked this up long ago, so I hope my memory serves. Basically, in BSD, the packets get to the kernel and then firewall decides on out to deal with it. So basically you are blocking outgoing connections and not inbound connections. So when you put in a WAN rule, you are putting in an allow out rule to the internal network.
You will need to google BSD networking/routing/firewalling to get more details.