1:1 NAT - Works only after Virtual IP addr assignment?



  • New Question: Why, with my 1:1 NAT set up, why are ARP requests for that IP not being responded to UNTIL:
    pfSense_Outer, Firewall, Virtual IPs, <net_external_a>/32 as IP Alias is created, hit with a couple packets, and then dropped and even after Diagnostics, States, Reset States, reset, it still works for minutes afterwards???

    And it looks like the permanent fix is a Virtual IP, Proxy Arp - but why do I need this?

    ETA Previous Question:
      How can I tell from pfSense if packets for the 1:1 NAT external IP address are hitting the firewall at all (i.e. do I have a routing issue, or a 1:1 NAT/rule issue)?

    Answer:
      In the WebGUI, use Diagnostics, Packet Capture, and do NOT filter on IP address.  The following appeared when I tried it over and over, with no apparent reply in the capture stream:
    03:17:24.077411 ARP, Request who-has <net_external_a>tell <net_external_gateway>, length 46

    I even rebooted the firewalls in desperation (Diagnostics->Reboot), as resetting the state table did nothing.

    I set up a second 1:1 NAT, with the rules and so on, just as the working situation below (but for port 5222 and 5269 instead) but firewall logging is showing absolutely nothing, so I can't yet tell if the packets are even hitting the outer firewall at all.  It shouldn't be a routing problem, but I can't prove that yet.

    I've got logging set up on both firewalls, for both the Pass and Fail rules, and they're showing no results at all.  Similar logging for the previous working 1:1 NAT on 443 does show traffic.  DNS from the outside shows good DNS resolution, including from a cellphone's network.

    Situation:
    Note that ALL networks are /24 (Class C), including the external IP block.
        Net_External (WAN static, provisioned by my provider, /24 network)
    pfSense_Outer
        Net_Internal_A (OPT12, a tagged VLAN to a switch, /24 network)

    Net_Internal_A (WAN static, untagged with the switch defaulting to the correct VLAN for that port, the same /24 network)
    pfSense_Inner
      Net_Internal_B (OPT1, leading to a separate VMWare ESXi vSwitch, /24 network)
      Web server with a static DHCP mapping on Net_Internal_B (a truly static mapping didn't change anything).

    On pfSense_Outer, I have a 1:1 NAT set, external IP of WebIP_Net_External, internal IP of WebIP_Net_Internal_A, and Destination IP of "any", NAT reflection "use system default".  System, Advanced, Firewall/NAT, Network Address Translation: everything is Disabled/Unchecked/blank.

    On pfSense_Inner, I have a 1:1 NAT set, external IP of WebIP_Net_Internal_A, internal IP of WebIP_Net_Internal_B, and Destination IP of "any", NAT reflection "use system default".  System, Advanced, Firewall/NAT, Network Address Translation: everything is Disabled/Unchecked/blank.

    On pfSense_Outer, I have a WAN firewall rule to allow IPv4, TCP, HTTPS from ANY to WebIP_Net_Internal_A.

    On pfSense_Inner, I have a WAN firewall rule to allow IPv4, TCP, HTTPS from ANY to WebIP_Net_Internal_B.

    I turned logging on for everything, reject and block and allow.


    1. At this point, pfSense_Outer firewall logs saw traffic from the outside world being ALLOWed to WebIP_Net_Internal_A.  However, pfSense_Inner firewall logs shows nothing at all, despite an IPv4 log and block everything (* * * * * none blank) rule as the last rule.

    Then on pfSense_Inner, I set up a Virtual IP Address, IP Alias, WAN interface, IP Address of WebIP_Net_Internal_A, and it started working.

    pfSense_Outer runs SNORT 2.9.6.0 pkg v3.0.6 on the WAN interface, and Squid 2.7.9 pkg v.4.3.3 in transparent proxy mode on everything except WAN an Loopback.

    pfSense_Outer is a physical box
    2.1.3-RELEASE (amd64)
    built on Thu May 01 15:52:13 EDT 2014
    FreeBSD 8.3-RELEASE-p16

    pfSense_Inner is a VMWare ESXi guest
    2.1.3-RELEASE (amd64)</net_external_gateway></net_external_a></net_external_a>



  • I'm assuming your WAN looks like a single block of IPs (/27 for example) rather than a routed WAN (/27 routed to a /30 on the WAN interface, for example).  I had the same confusion when I first switched to pfSense.

    The reason you have to do a virtual IP is that the IP interfaces are separate from the Firewall (NAT/Rules/etc) at the OS level.

    Also, having the 1:1 NATs on Virtual IPs allows you to do things like use CARP for failover between two boxes.


Log in to reply