Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Incoming TCP traffic dies after 1:1 NAT??

    Scheduled Pinned Locked Moved NAT
    2 Posts 2 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fjw
      last edited by

      Hi guys,

      I have PFSense v1.2-RC3 set up to do 1:1 NAT for my assigned range of 64 external IPs.
      I started NATting 2 servers with following setup:

      Interfaces:

      • WAN: Type static, IP xxx.xxx.199.199/8, gateway xxx.xxx.199.254
      • LAN: Bridge with none, IP 192.168.1.1/24
      • No OPT1

      Virtual IPs:

      • Proxy ARP, on WAN, Single address, xxx.xxx.199.230/32
      • Proxy ARP, on WAN, Single address, xxx.xxx.199.231/32

      1:1 NAT:

      • on WAN, external xxx.xxx.199.230/32, internal 192.168.1.230
      • on WAN, external xxx.xxx.199.231/32, internal 192.168.1.231

      Firewall:

      • on WAN,  *  *  * * * *    Pass anything in (just for tests)
      • on LAN,  * LAN net * * * *    Default LAN -> any

      Servers:

      • both set up with 192.168.1.1 as gateway

      Both servers can be accessed no problem from the internal subnet.
      However when I browse to either of the external IPs no response comes back.
      I first thought 1:1 NAT did not work but it does. The rule gets triggered according to the log and when I tcpdump the server connection I get:

      18:40:42.279005 IP (tos 0x0, ttl 119, id 51126, offset 0, flags [DF], proto: TCP (6), length: 48) 141-244-045-xxx.dynamic.caiway.nl.61491 > 192.168.1.230.http: S, cksum 0x0f84 (correct), 3325806490:3325806490(0) win 65535 <mss 1452,nop,nop,sackok="">but…. nothing comes back.

      When I access the servers through their external interfaces (directly linked to the internet, just testing...) I get:
      18:32:34.608860 IP (tos 0x0, ttl 120, id 50184, offset 0, flags [DF], proto: TCP (6), length: 566) 141-244-045-xxx.dynamic.caiway.nl.61387 > backup.xxx.nl.http: P 22764:23290(526) ack 4000 win 64512

      and the response:
      18:32:34.609263 IP (tos 0x0, ttl  64, id 368, offset 0, flags [DF], proto: TCP (6), length: 133) backup.xxx.nl.http > 141-244-045-xxx.dynamic.caiway.nl.61387: P 4000:4093(93) ack 23290 win 53606

      So no problems there. Access from the local subnet works as well.

      I read through all 1:1 NAT related posts but cannot find any reference to this problem.
      Upgrade to RC3 has not helped. Neither has redoing the config, reboots etc.

      I would be greatful for any ideas about how to solve this… I'm kind of stuck for over a week now.</mss>

      1 Reply Last reply Reply Quote 0
      • G
        gmckinney
        last edited by

        Just a dumb question but in the "Interfaces -> Wan" settings are the "Block private networks" and / or "Block bogon networks" check-boxes checked??? If so try un-checking them and see if it helps…

        gm...

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.