[1:1 NAT] cant reach my machines from internet


  • Hello Guys,

    now trying the english forum to find help for my issue. :p

    I have a VM 'Media' which has the Internal IP 192.168.1.101 and an external IP from my /28 subnet. Made an 1:1 mapping for that.

    I can go out of the VM to the internet, but cant find a way in via different ports. There a few screens of my configuration in the attachment.

    Hope you have an idea :)

    thanks in advance!


    ![vSphere Client.jpg](/public/imported_attachments/1/vSphere Client.jpg)
    ![vSphere Client.jpg_thumb](/public/imported_attachments/1/vSphere Client.jpg_thumb)

  • Netgate Administrator

    How are you testing this?

    You would usually setup an IPAlias virtual IP on the WAN interface to respond to the external IP you're using. Otherwise the WAN will not respond to ARPs and there will be no route from your ISP.

    Steve


  • Really thanks for your fast reply!

    @stephenw10:

    How are you testing this?

    (winVM)
    via Ping, RDP, Plex, nothing can reach the server

    @stephenw10:

    You would usually setup an IPAlias virtual IP on the WAN interface to respond to the external IP you're using. Otherwise the WAN will not respond to ARPs and there will be no route from your ISP.

    Oh okay, didnt knew that. I've added the first IP like screen below, still no chance :/


  • Netgate Administrator

    The subnet of the IP alias should probably be /24 so it can respond to queries from within that subnet.

    I assume the Win VM you're testing from is connected on the WAN side of pfSense.

    Steve


  • @stephenw10:

    The subnet of the IP alias should probably be /24 so it can respond to queries from within that subnet.
    I assume the Win VM you're testing from is connected on the WAN side of pfSense.

    Ah sorry, as i read my last text again, it was a bit 'incomprehensible'. With (winVM) i ment, that the machine i want to reach from the internet, is a windows vm. I tested it from my home PC, my Server with pfSense is in the dc of my provider.

    Okay, i have it like this now (attachments). Setting of the VIP and the netsettings of the WinVM i want to reach from the internet. Nameservers are from my provider

    Do you need more infos, screens or anything?




  • Netgate Administrator

    Ok, so check your firewall logs. Both in the pfSense box and in the Windows VM if you have a local firewall running there.

    One thing you can try is that the IP Alias (virtual IP) will respond to ping requests as long as you have a firewall rule in place on WAN to allow ICMP traffic and that it isn't NAT'd to an internal box. By adding a firewall rule and removing the 1:1 NAT you can test that at least youe ISP is routing traffic correctly as far as the pfSense box.

    Steve


  • Hello stephen,

    thanks for your patience with me :P

    @stephenw10:

    Ok, so check your firewall logs. Both in the pfSense box and in the Windows VM if you have a local firewall running there.

    With an activated 1:1 NAT, theres no action logged from my, to the destination ip or anything like that, even no logged connections on the specific ports (logging of rules is activated). :(

    One thing you can try is that the IP Alias (virtual IP) will respond to ping requests as long as you have a firewall rule in place on WAN to allow ICMP traffic and that it isn't NAT'd to an internal box. By adding a firewall rule and removing the 1:1 NAT you can test that at least youe ISP is routing traffic correctly as far as the pfSense box.

    If the 1:1 Rule is deactivated, i can ping my ip successfully and theres an log entry in fw. :(

  • Netgate Administrator

    Hmm, odd.
    Perhaps check the state table when you are trying to connect to the server.
    If you have logging enabled on the firewall rule allowing the traffic I would expect to see something though.  :-\

    Steve


  • @stephenw10:

    Hmm, odd.

    Yes :( :(

    Perhaps check the state table when you are trying to connect to the server.
    If you have logging enabled on the firewall rule allowing the traffic I would expect to see something though.  :-\

    Theres no entry in the states table, which fits to my query to the destination IP or Port. :/

    Hmpf, mysterious :(

    regards,

    Robert

  • Netgate Administrator

    Nothing in state table or firewall logs but applying the 1:1 NAT prevents the VIP responding to pings. It seems as though the NAT config must be wrong. I can't see what that be.
    Some issue with the virtual environment?  :-\

    Steve


  • @stephenw10:

    Nothing in state table or firewall logs but applying the 1:1 NAT prevents the VIP responding to pings. It seems as though the NAT config must be wrong. I can't see what that be.
    Some issue with the virtual environment?  :-\

    It's a fresh dedicated server (R410), and w/o the 1:1, i can ping my IPs. so i dont think it's a problem with the environment, or?

    Any idea what i can test else? :(

  • Netgate Administrator

    Ah, so you're running bare metal. without ESXi?

    In my test setup here it's working perfectly so it's hard to know what to suggest.  :-
    Anyone else?

    You could try using individual port forwards instead of 1:1 NAT.

    Since you are (or were) running virtualised you could try adding another virtual NIC in VMWare for the second WAN IP instead of using a virtual IP in pfSense.

    Steve


  • @stephenw10:

    Ah, so you're running bare metal. without ESXi?

    No, ofc you're right. It's running on ESXi. lil missunderstanding. :p

    Do you think somethings wrong with my ESXi? Mh, cant see what it could be and how i can test it ^^

    In my test setup here it's working perfectly so it's hard to know what to suggest.  :-\

    i know :(

    You could try using individual port forwards instead of 1:1 NAT.
    Since you are (or were) running virtualised you could try adding another virtual NIC in VMWare for the second WAN IP instead of using a virtual IP in pfSense.

    Okay, i will try tomorrow.

    Thanks steve!


  • puh, a few days w/o time to try.

    I've deactivated the 1:1 and added a Port FW to the internal IP of my VM, see attached the port forward.

    VM is online, still no connection vom outside. :(


  • Netgate Administrator

    Hmm, intersting. Usually, with a common port forward, you specify the destination IP and it would usually be the WAN address. However here you are using the IP alias. I guess it should work without specifying the destination IP, you could also try setting the destination as the IP alias address.
    Using an additional virtual NIC in ESXi for the WAN would make things a lot more straight forward in many ways. The additional IP will appear as a completely separate interface so you can select it in 1:1 NAT or port forwards.

    Are you able to test it from a locally connected machine on the pfSense WAN side? My test setup here was using series of pfSense boxes behind each other. The box doing the 1:1 NAT with the IP Alias was using private IPs on both WAN and LAN and I was testing from the WAN subnet directly.

    Steve


  • @stephenw10:

    Hmm, intersting. Usually, with a common port forward, you specify the destination IP and it would usually be the WAN address. However here you are using the IP alias. I guess it should work without specifying the destination IP, you could also try setting the destination as the IP alias address.

    Not sure i understand you right and what you mean with:

    Using an additional virtual NIC in ESXi for the WAN would make things a lot more straight forward in many ways. The additional IP will appear as a completely separate interface so you can select it in 1:1 NAT or port forwards.

    The problem is, my VM is only online, if i define the 192.168.1.101 for her. With the 192.168.1.101, it has the main ip from pfSense for outgoing traffic into the internet. If i use an IP-Adresse from my subnet, i cant get the machine online. Which GW do i have to use in this case?

    I've created a PFW where i used the pfSense ip as the "NAT IP", which is equal to the IP of my first WinVM, but even then it wont work.

    Are you able to test it from a locally connected machine on the pfSense WAN side? My test setup here was using series of pfSense boxes behind each other. The box doing the 1:1 NAT with the IP Alias was using private IPs on both WAN and LAN and I was testing from the WAN subnet directly.

    Okay, will test and update here soon.

    edit Okay, i added the Test-VM to my WAN-Interface and configured the 2nd IP (aaa.bbb.0.1) from my subnet for it. It says it has a n internet connection, but it didnt.

    But as i said, im not sure i understand you correctly. Sorry if not ._.



  • I've reinstalled pfSense.
    Created the 1:1 again and my machine has my subnet ip in outbound. I still can't reach her from the internet, but i see the requests in my Firewall now, if i try to connect to RDP or ping the ip. I think thats a small step ^^

    Im wondered, why he shows the request as 'PASS' in Logs.


  • Netgate Administrator

    Aha! Yes that is a step forward. It's showing as 'pass' because it's matching the pass rule you setup to allow the forwarded traffic.
    Ok, so that confirms that the box is reiving the traffic on the virtual IP, NATing it to the internal address and allowing it to pass through the WAN firewall. Yet you aren't seeing it at the server?
    Could you have some asemetric routing issue? Perhaps the returning traffic is not matching the open firewall state? Do you have a rule to allow the return traffic if it isn't? Anything in the firewall logs to show that?

    Edit: What is you current WAN firewall rule? Reading back I see that your original rule was for IPv4/TCP only which won't allow ICMP (ping).

    Steve