4. Incoming TCP traffic dies after 1:1 NAT??

Incoming TCP traffic dies after 1:1 NAT??

  • F

    Hi guys,

    I have PFSense v1.2-RC3 set up to do 1:1 NAT for my assigned range of 64 external IPs.
    I started NATting 2 servers with following setup:

    Interfaces:

    • WAN: Type static, IP xxx.xxx.199.199/8, gateway xxx.xxx.199.254
    • LAN: Bridge with none, IP 192.168.1.1/24
    • No OPT1

    Virtual IPs:

    • Proxy ARP, on WAN, Single address, xxx.xxx.199.230/32
    • Proxy ARP, on WAN, Single address, xxx.xxx.199.231/32

    1:1 NAT:

    • on WAN, external xxx.xxx.199.230/32, internal 192.168.1.230
    • on WAN, external xxx.xxx.199.231/32, internal 192.168.1.231

    Firewall:

    • on WAN,  *  *  * * * *    Pass anything in (just for tests)
    • on LAN,  * LAN net * * * *    Default LAN -> any

    Servers:

    • both set up with 192.168.1.1 as gateway

    Both servers can be accessed no problem from the internal subnet.
    However when I browse to either of the external IPs no response comes back.
    I first thought 1:1 NAT did not work but it does. The rule gets triggered according to the log and when I tcpdump the server connection I get:

    18:40:42.279005 IP (tos 0x0, ttl 119, id 51126, offset 0, flags [DF], proto: TCP (6), length: 48) 141-244-045-xxx.dynamic.caiway.nl.61491 > 192.168.1.230.http: S, cksum 0x0f84 (correct), 3325806490:3325806490(0) win 65535 <mss 1452,nop,nop,sackok="">but…. nothing comes back.

    When I access the servers through their external interfaces (directly linked to the internet, just testing...) I get:
    18:32:34.608860 IP (tos 0x0, ttl 120, id 50184, offset 0, flags [DF], proto: TCP (6), length: 566) 141-244-045-xxx.dynamic.caiway.nl.61387 > backup.xxx.nl.http: P 22764:23290(526) ack 4000 win 64512

    and the response:
    18:32:34.609263 IP (tos 0x0, ttl  64, id 368, offset 0, flags [DF], proto: TCP (6), length: 133) backup.xxx.nl.http > 141-244-045-xxx.dynamic.caiway.nl.61387: P 4000:4093(93) ack 23290 win 53606

    So no problems there. Access from the local subnet works as well.

    I read through all 1:1 NAT related posts but cannot find any reference to this problem.
    Upgrade to RC3 has not helped. Neither has redoing the config, reboots etc.

    I would be greatful for any ideas about how to solve this… I'm kind of stuck for over a week now.</mss>

    0
  • G

    Just a dumb question but in the "Interfaces -> Wan" settings are the "Block private networks" and / or "Block bogon networks" check-boxes checked??? If so try un-checking them and see if it helps…

    gm...

    0
Log in to reply
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy