Incoming TCP traffic dies after 1:1 NAT??



  • Hi guys,

    I have PFSense v1.2-RC3 set up to do 1:1 NAT for my assigned range of 64 external IPs.
    I started NATting 2 servers with following setup:

    Interfaces:

    • WAN: Type static, IP xxx.xxx.199.199/8, gateway xxx.xxx.199.254
    • LAN: Bridge with none, IP 192.168.1.1/24
    • No OPT1

    Virtual IPs:

    • Proxy ARP, on WAN, Single address, xxx.xxx.199.230/32
    • Proxy ARP, on WAN, Single address, xxx.xxx.199.231/32

    1:1 NAT:

    • on WAN, external xxx.xxx.199.230/32, internal 192.168.1.230
    • on WAN, external xxx.xxx.199.231/32, internal 192.168.1.231

    Firewall:

    • on WAN,  *  *  * * * *    Pass anything in (just for tests)
    • on LAN,  * LAN net * * * *    Default LAN -> any

    Servers:

    • both set up with 192.168.1.1 as gateway

    Both servers can be accessed no problem from the internal subnet.
    However when I browse to either of the external IPs no response comes back.
    I first thought 1:1 NAT did not work but it does. The rule gets triggered according to the log and when I tcpdump the server connection I get:

    18:40:42.279005 IP (tos 0x0, ttl 119, id 51126, offset 0, flags [DF], proto: TCP (6), length: 48) 141-244-045-xxx.dynamic.caiway.nl.61491 > 192.168.1.230.http: S, cksum 0x0f84 (correct), 3325806490:3325806490(0) win 65535 <mss 1452,nop,nop,sackok="">but…. nothing comes back.

    When I access the servers through their external interfaces (directly linked to the internet, just testing...) I get:
    18:32:34.608860 IP (tos 0x0, ttl 120, id 50184, offset 0, flags [DF], proto: TCP (6), length: 566) 141-244-045-xxx.dynamic.caiway.nl.61387 > backup.xxx.nl.http: P 22764:23290(526) ack 4000 win 64512

    and the response:
    18:32:34.609263 IP (tos 0x0, ttl  64, id 368, offset 0, flags [DF], proto: TCP (6), length: 133) backup.xxx.nl.http > 141-244-045-xxx.dynamic.caiway.nl.61387: P 4000:4093(93) ack 23290 win 53606

    So no problems there. Access from the local subnet works as well.

    I read through all 1:1 NAT related posts but cannot find any reference to this problem.
    Upgrade to RC3 has not helped. Neither has redoing the config, reboots etc.

    I would be greatful for any ideas about how to solve this… I'm kind of stuck for over a week now.</mss>



  • Just a dumb question but in the "Interfaces -> Wan" settings are the "Block private networks" and / or "Block bogon networks" check-boxes checked??? If so try un-checking them and see if it helps…

    gm...


Log in to reply