[SOLVED - POSSIBLE BUG] Unable to get 1:1 NAT working correctly



  • So I have been able to get port forwarding working correctly but I also want to figure out how to get 1:1 NAT working so I know more about my system.

    –-------My setup---------

    External IP: 96.171.343.2 (not real externalcip, example)
    Local IP: 192.168.10.130

    Firewall > NAT >  1:1

    Interface  External ip          Internal IP              Destination IP
    WAN          96.171.343.2    192.168.10.130      *

    (I have nat reflection settings enabled in System > Advanced > Firewall/NAT)

    Firewall > Rules > WAN

    ID      Proto      Source    Port    Destination          Port      Gateway    Queue    Schedule
              IPv4      *            *        192.168.10.130    80        *              None 
              TCP

    I have Port 80 added here as an example/a way to test if the 1:1 NAT is working, but it doesn't work. What am I missing here?


  • LAYER 8 Netgate

    Are you testing from inside or outside?

    Define "doesn't work."  What do you see when you try?



  • @Derelict:

    Are you testing from inside or outside?

    Define "doesn't work."  What do you see when you try?

    alright so from inside it works, by "works" I mean that I am brought to the Web server of the computer that has the external ip listed in OP (I had to enable nat reflection). When I try externally (4g on my phone) the Web page is unable to load. What's strange is  this rule I have listed in the first post is the same rule that is made when port forwarding, and it "works". However, with 1:1 nat it doesn't.


  • LAYER 8 Netgate

    It should.  Do you still have the port forward active?

    Doublecheck everything.



  • @Derelict:

    It should.  Do you still have the port forward active?

    Doublecheck everything.

    ATM no, but I tried removing everything and really adding everything and still nothing. I tried with and without a virtual IP also.


  • LAYER 8 Netgate

    Not quite sure what to tell you.  Just did a 1:1 from my WAN address to an ssh server on LAN and it just worked.

    All I did was create the 1:1, create the rule, and enable ssh on the inside host.  You can reference the diagram in my sig for the exact layout.  Working on pfSense B and Host B1.

    
    $ ssh 172.27.0.9
    user@172.27.0.9's password:
    
    Welcome to Ubuntu 12.04.5 LTS (GNU/Linux 3.13.0-39-generic x86_64)
    
    pfSenseHostB1:~$
    
    

    Check everything again.  All addresses, netmasks, all default gateways, all rules, all translations, all host firewalls, etc.

    ETA: Also worked as expected with both ifAlias and Proxy ARP VIPs on 172.27.0.10.






  • @Derelict:

    Not quite sure what to tell you.  Just did a 1:1 from my WAN address to an ssh server on LAN and it just worked.

    All I did was create the 1:1, create the rule, and enable ssh on the inside host.  You can reference the diagram in my sig for the exact layout.  Working on pfSense B and Host B1.

    
    $ ssh 172.27.0.9
    user@172.27.0.9's password:
    
    Welcome to Ubuntu 12.04.5 LTS (GNU/Linux 3.13.0-39-generic x86_64)
    
    pfSenseHostB1:~$
    
    

    Check everything again.  All addresses, netmasks, all default gateways, all rules, all translations, all host firewalls, etc.

    ETA: Also worked as expected with both ifAlias and Proxy ARP VIPs on 172.27.0.10.

    Ill give it another go again today. Thank you friend!



  • @Derelict:

    Not quite sure what to tell you.  Just did a 1:1 from my WAN address to an ssh server on LAN and it just worked.

    All I did was create the 1:1, create the rule, and enable ssh on the inside host.  You can reference the diagram in my sig for the exact layout.  Working on pfSense B and Host B1.

    
    $ ssh 172.27.0.9
    user@172.27.0.9's password:
    
    Welcome to Ubuntu 12.04.5 LTS (GNU/Linux 3.13.0-39-generic x86_64)
    
    pfSenseHostB1:~$
    
    

    Check everything again.  All addresses, netmasks, all default gateways, all rules, all translations, all host firewalls, etc.

    ETA: Also worked as expected with both ifAlias and Proxy ARP VIPs on 172.27.0.10.

    well I want to make it so the ports are accessible from WAN or basically outside of my network entirely. Not sure if I am explaining well.

    Basically, I want to do 1:1 NAT with same IPs as in OP and now let's say I try accessing the Web server of the external ip (uses port 80 and I have created a rule just like yours) from somewhere outside my network, such as using a 4g card or a cell phone or something, but it doesn't connect. What rules do I need to add to make that accessible?


  • LAYER 8 Netgate

    None.  If you have one for port 80 something else must be wrong.



  • @Derelict:

    None.  If you have one for port 80 something else must be wrong.

    it's really strange. I got it working for another computer just now but it won't work for mine still. It seems to be hit or miss honestly. I am on 2.2 rc so maybe it's a bug or something? Port forwarding seems to work fine. What's the difference over port forwarding and 1:1? I understand that port forwarding is for each port and 1:1 forwards all connections but with the pfsense firewall a rule will need to be added to allow the connections for either 1:1 or port forwarding right?


  • LAYER 8 Netgate

    Yes.  Firewall rules are necessary for any traffic to enter into any interface on pfSense.

    With port forwarding you NAT all traffic for the destination IP address.  The port isn't considered by NAT but by the firewall rules.

    Firewall rules can be automatically created by port forwarding rules.  If you 1:1 it's up to you to create them for the traffic you want to pass.

    Again, not sure what to tell you.  I'd thoroughly examine all aspects of the client - firewalls, gateways, netmasks, etc.  Maybe run some packet captures on the LAN interface.  I highly doubt you're seeing a bug in something so elemental so late in the 2.2 process.



  • @Derelict:

    Yes.  Firewall rules are necessary for any traffic to enter into any interface on pfSense.

    With port forwarding you NAT all traffic for the destination IP address.  The port isn't considered by NAT but by the firewall rules.

    Firewall rules can be automatically created by port forwarding rules.  If you 1:1 it's up to you to create them for the traffic you want to pass.

    Again, not sure what to tell you.  I'd thoroughly examine all aspects of the client - firewalls, gateways, netmasks, etc.  Maybe run some packet captures on the LAN interface.  I highly doubt you're seeing a bug in something so elemental so late in the 2.2 process.

    whata more strange is this, when I set up the nat, no rules or anything I am able to ping the external ip from another computer that is connected to the pfsense box, evenot on a different subnet/interface (I made rules for this). And I know it is pinging the machine because i unplug the cable during it is pinging and then I get a request timed out, however if I go on Google to find what my ip address is it still isn't the one that I can ping. I have tried assigning the ip to another machine and the same problem persists, if I try and give another machine another external ip (I said before I got one machine to work with the nat and it uses a different IP, I tried assigning that one to another machine to test) then it assigns it correctly. So I don't know how but could something be already using my external ip? If I try pinging it outside I get no response but ping could be disabled on a device that is using it. I'll run a packet capture and report back.

    EDIT: packet capture didn't return anything but what's strange is that a traceroute did. I have no clue what these IPs are although, I see Verizon and it is my isp but if I do a traceroute of the ip assigned on the pfsense or on the one I got 1:1 nat working only stars appear. Is someone else somehow using my ip or are these just connections?

     1  L300.NWRKNJ-VFTTP-150.verizon-gni.net (74.102.123.1)  3.239 ms  1.359 ms  3.728 ms
     2  G1-2-4-3.NWRKNJ-LCR-22.verizon-gni.net (100.41.206.206)  3.994 ms  3.859 ms  3.855 ms
     3  so-4-0-0-0.NWRK-BB-RTR2.verizon-gni.net (130.81.22.64)  54.604 ms
        ae0-0.NWRK-BB-RTR2.verizon-gni.net (130.81.209.162)  6.109 ms
        so-6-1-0-0.NWRK-BB-RTR2.verizon-gni.net (130.81.199.16)  5.859 ms
     4  xe-4-1-6-0.TPA01-BB-RTR2.verizon-gni.net (130.81.23.73)  48.848 ms * *
     5  Bundle-Ether300.TAMPFL-LCR-22.verizon-gni.NET (140.222.230.221)  40.398 ms  41.207 ms  39.972 ms
     6  * * *
     7  * * *
    
    

  • LAYER 8 Netgate

    whata more strange is this, when I set up the nat, no rules or anything I am able to ping the external ip from another computer that is connected to the pfsense box, evenot on a different subnet/interface (I made rules for this). And I know it is pinging the machine because i unplug the cable during it is pinging and then I get a request timed out, however if I go on Google to find what my ip address is it still isn't the one that I can ping. I have tried assigning the ip to another machine and the same problem persists, if I try and give another machine another external ip (I said before I got one machine to work with the nat and it uses a different IP, I tried assigning that one to another machine to test) then it assigns it correctly. So I don't know how but could something be already using my external ip? If I try pinging it outside I get no response but ping could be disabled on a device that is using it. I'll run a packet capture and report back.

    Sorry, but all that sounds like a bunch of gibberish when you don't give any specifics.  We have no idea if you're using the WAN address, VIPs, what kind of VIPs, or exactly what rules you have put in place and where.  You're using "the external ip" "another computer" "the machine" "the ip" "a different ip".  That tells us nothing.  Specifics.

    NAT uses the IP or VIP you specify.  Period.  If it's doing something else, you've configured it wrong.

    You won't be able to ping pfSense WAN (or a VIP on WAN) from outside WAN unless there are rules on WAN allowing it.

    It's probably time to take a step back, draw a real diagram, complete with ip addresses and subnets.  It might also be time to take a backup, reset to factory, and start again with ONE thing at a time until you get to where you need to be.

    Traceroutes show you the route you are taking to your destination.  You have no control over them.  Forget that tool exists for the moment.  All it tells us is that 74.102.123.1 is probably the default gateway into your ISP.



  • @Derelict:

    whata more strange is this, when I set up the nat, no rules or anything I am able to ping the external ip from another computer that is connected to the pfsense box, evenot on a different subnet/interface (I made rules for this). And I know it is pinging the machine because i unplug the cable during it is pinging and then I get a request timed out, however if I go on Google to find what my ip address is it still isn't the one that I can ping. I have tried assigning the ip to another machine and the same problem persists, if I try and give another machine another external ip (I said before I got one machine to work with the nat and it uses a different IP, I tried assigning that one to another machine to test) then it assigns it correctly. So I don't know how but could something be already using my external ip? If I try pinging it outside I get no response but ping could be disabled on a device that is using it. I'll run a packet capture and report back.

    Sorry, but all that sounds like a bunch of gibberish when you don't give any specifics.  We have no idea if you're using the WAN address, VIPs, what kind of VIPs, or exactly what rules you have put in place and where.  You're using "the external ip" "another computer" "the machine" "the ip" "a different ip".  That tells us nothing.  Specifics.

    NAT uses the IP or VIP you specify.  Period.  If it's doing something else, you've configured it wrong.

    You won't be able to ping pfSense WAN (or a VIP on WAN) from outside WAN unless there are rules on WAN allowing it.

    It's probably time to take a step back, draw a real diagram, complete with ip addresses and subnets.  It might also be time to take a backup, reset to factory, and start again with ONE thing at a time until you get to where you need to be.

    Traceroutes show you the route you are taking to your destination.  You have no control over them.  Forget that tool exists for the moment.  All it tells us is that 74.102.123.1 is probably the default gateway into your ISP.

    Alright so just. Ive already done complete reinstalls and re-doing the general setup. Alright, so look once again this is my setup, I feel like this is the best diagram…besides screenshots.

    ---------My setup---------

    External IP: 96.171.343.2 (not real external ip, example)
    Local IP: 192.168.10.130 (Computer with local IP is hooked up to LAN interface)
    Pfsense WAN IP:  96.171.343.1 (again, not real external ip but close to/example)

    Firewall > NAT >  1:1

    Interface  External ip          Internal IP              Destination IP
    WAN          96.171.343.2    192.168.10.130      *

    (I have nat reflection settings enabled in System > Advanced > Firewall/NAT and for Firewall > Rules > NAT, I have NAT reflection to "use system default" in my 1:1 NAT entry )

    Firewall > Rules > WAN

    ID      Proto      Source    Port    Destination          Port      Gateway    Queue    Schedule
              IPv4      *            *        192.168.10.130    80        *              None
              TCP

    Now, with this same setup seen here into my actual pfsense,  I go to google on the computer that is assigned 192.168.10.130 and  supposed to be assigned  96.171.343.2 from the NAT (we will call this computer PC1), and a google search says that I have 96.171.343.1 (which is the pfsense's WAN IP). If I type http://96.171.343.2 in the web browser on PC1 it says unable to load page, even though I made a rule on the WAN interface in the firewall for port 80. Furthermore, if I try http://96.171.343.2 on my mobile device which is connected to 4G (entirely separate from the network PC1 and pfsense is on) again, its unable to load the page. What is strange is if I ping 96.171.343.2 on PC it shows that it is getting responses.


  • LAYER 8 Netgate

    Why are you complicating things with reflection?  One thing at a time.  Inbound connections from outside to 96.171.343.2:80 being sent to 192.168.10.130:80.  Let's work on THAT ONE PIECE!  Don't make it more complicated by trying to debug connections from LAN and WAN in the same post.  It does nothing but clutter your posts with many different problems at once.  This isn't complicated unless you make it so.

    QUESTIONS:

    What kind of VIP is 96.171.343.2?

    What is the actual (or obfuscated if you must) WAN subnet and netmask and gateway?  Be specific.



  • @Derelict:

    Why are you complicating things with reflection?  One thing at a time.  Inbound connections from outside to 96.171.343.2:80 being sent to 192.168.10.130:80.  Let's work on THAT ONE PIECE!  Don't make it more complicated by trying to debug connections from LAN and WAN in the same post.  It does nothing but clutter your posts with many different problems at once.  This isn't complicated unless you make it so.

    QUESTIONS:

    What kind of VIP is 96.171.343.2?

    What is the actual (or obfuscated if you must) WAN subnet and netmask and gateway?  Be specific.

    I should've mention i have a friend who is working on this with me and he insists it be enabled….can't really argue with him since it's his box. Anyway, i got it working, i had to go into Outbound under Firewall > NAT and the rule was something like internal Ip for source or something. The outbound was set to hybrid AND automatic option or whatever which I changed after it was just set to automatic and I couldn't get the nat to work.



  • Alright so NOW I have finally got it!

    Alright so this is very strange. If I try assigning a computer with an external IP for 1:1 NAT I can't get it to work properly (computer does not actually get assigned the IP address/forwarding is not going through correctly) if the computer is connected into the LAN interface. If I connect my computer to any other interface other than LAN, we will say OPT2 as example (except WAN obviously)  then the 1:1 NAT will work. I am assuming this is happening because the WAN is configured for a static IP, and possibly trying to have a device on LAN with a different external IP than the one on WAN screws up pfsense or something. There is also an Outbound NAT Rule that gets created for each interface (ex. 192.168.1.0 for LAN, 192.168.2.0 for OPT1, etc.) to give those IPs that I listed in the parenthesis the external IP of the WAN interface. Now whats strange is that this outbound rule included the local IP of the OPT2 interface (192.168.3.0) with also to be assigned the external IP of the WAN interface however, 1:1 NAT still worked on OPT2…but not on LAN.

    I am assuming this a bug and would like to report it ASAP. How can I?


  • LAYER 8 Netgate

    Draw a diagram, man.  Not text - use the free stuff at https://forum.pfsense.org/index.php?topic=1630.0  Include details of what you're trying to do.  IP addresses, netmasks, where you have placed the 1:1, what works, what doesn't.

    It is very unlikely you have found a bug in something so fundamental.



  • @Derelict:

    Draw a diagram, man.  Not text - use the free stuff at https://forum.pfsense.org/index.php?topic=1630.0  Include details of what you're trying to do.  IP addresses, netmasks, where you have placed the 1:1, what works, what doesn't.

    It is very unlikely you have found a bug in something so fundamental.

    I'd rather just give screen shots for now? My setup has gotten pretty complex now as I've plugged in more things into my avaluable ports (routers etc) although those do not really matter. Also, the 1: NAT seems to stop working periodically or randomly I'm not sure when exactly but after a while it just stops working and I need to do a restore. I don't have time to make a diagram or mess around with pfsense for a while, I have a lot of school projects but hopefully we can get back to each by say next Friday..and I mean next Friday not this week.


Log in to reply