Problem with NAT(reflection?) after upgrade from 2.0.1 to 2.1.5



  • We have an external Network A (NET-A) and an internal Network 192.168.9.x.
    We use Port-forwarding and Pools to redirect Traffic from an external IP to an internal IP/Cluster.
    Then we have "Manual Outbound NAT rule generation" on with rules wich we find in /tmp/rules.debug
    nat on $WAN  from 192.168.9.13/32 to any -> (NET-A).122/32 port 1024:65535 
    nat on $WAN  from 192.168.9.128/28 to any -> (NET-A.)115/32 port 1024:65535 
    nat on $WAN  from 192.168.9.160/28 to any -> (NET-A).114/32 port 1024:65535

    these rules work.

    Then we have Rules for internal communication which worked in 2.0.1
    nat on $LAN  from 192.168.9.128/28 to 192.168.9.0/24 -> (NET-A).115/32 port 1024:65535 
    nat on $LAN  from 192.168.9.160/28 to 192.168.9.0/24 -> (NET-A).114/32 port 1024:65535

    When I try to connect from 192.168.9.160 to 192.168.9.128/28 via (NET-A.)115 I see the packet in tcpdump:
    13:02:33.154806 IP 192.168.9.160.34945 > 83.246.70.115.80: Flags S, seq 2887008773, win 14600, options [mss 1460,sackOK,TS val 253039556 ecr 0,nop,wscale 7], length 0

    pfctl -s state | grep 192.168.9.160
    em2 tcp 192.168.9.132:80 <- (NET-A).115:80 <- 192.168.9.160:34947      CLOSED:SYN_SENT
    em2 tcp 192.168.9.160:34947 -> (NET-A).114:45381 -> 192.168.9.132:80      SYN_SENT:CLOSED

    But no paket leaves the firewall from (NET-A).114 to 192.168.9.132??
    Again: this all worked perfectly with 2.0.1 for years.

    I found the "NAT Reflection mode for port forwards" in the advanced settings but enabling/disabling doesn't change anything.
    How can I solve the Problem? I found others have Problem with these reflection Rules but no real help:(

    I replaced the first 3 octects with (NET-A).



  • Hi,

    installed the haproxy-package and changed all LB-Jobs to the haproxy.
    Now everything is working fine again!


Log in to reply