Outbound NAT not allowing LAN out any longer (PFS 2.2)



  • Hello all -

    I'm not sure what's going on with my pfSense box but it seems everytime it reboots, I loose WAN. First time, the default gateway was deselected for some reason. The second time, my manual NAT rules stopped working (had to switch to hybrid-mode).

    This time, nothing has worked, in trying to change the NAT selections to get from LAN -> WAN. Here's the weird thing - AutoNAT lists a network that I don't have (and haven't had) in a long time. I don't have an interface for it, no rules, no…nothing. Yet, AutoNAT lists it as a possible outbound network. I've switched back to manual NAT, and only allowed out my main network and the firewall itself; no LAN can get out.

    Not sure what else to check here. Details:

    1. Gateways tab lists 1 GW: WAN
    2. Interfaces are LAN/WAN: LAN has "none" for gateway, WAN has "<ip of="" static="" gw="" from="" isp="">"
    3. FW rules have a rule to allow LAN -> WAN (LAN net to ANY)
    4. Diagnostics: PING = google.com returns pings from the WAN as source. I get 100% packet loss from the LAN int. as source.
    5. AutoBackup to the PFS Portal is working fine (not sure if that matters or not, for the sake of connectivity)

    Any suggestions, would be much appreciated.

    Thank you.</ip>



  • Without seeing the actual firewall or NAT rules, the first thing I'd suggest is checking that DNS is working from your LAN. Have you tried pinging an outside IP address (eg: 8.8.4.4) from the LAN instead of 'google.com'? Have you made sure the NAT rules suit the firewall rules? Have you tried an nslookup from both the WAN side and LAN? Perhaps if you could send a screenshot of your complete NAT and firewall rules it might help shed some light.



  • I seem to be having a similar issue.  I have tried pinging outside IP's from all of my lan networks and it is not working.  DNS is working from my WAN port and it is able to get to everything I have tried pinging.  I also ran```
    pfctl -s nat

    
    I am running a vmware virtual environment with a pair of pfsense 2.1.5-RELEASE 64bit setup in a cluster.


  • @muswellhillbilly:

    Without seeing the actual firewall or NAT rules, the first thing I'd suggest is checking that DNS is working from your LAN. Have you tried pinging an outside IP address (eg: 8.8.4.4) from the LAN instead of 'google.com'? Have you made sure the NAT rules suit the firewall rules? Have you tried an nslookup from both the WAN side and LAN? Perhaps if you could send a screenshot of your complete NAT and firewall rules it might help shed some light.

    Thanks for the reply Mus. LAN clients cannot ping IP's nor FQDN's. The server, on the other hand, was able to get out without incident (I say "was" because I had to replace my firewall until I could get it fixed).

    Also, like Broncoman, when I tried a "pfctl -s nat", it returned nothing; just a prompt. I'm not sure if something is going wrong when the firewall reboots or not, but Broncoman and I seem to have the same issue (minus the pfSense version number) upon reboot. My firewall was absolutely pristine until I rebooted, with even a rollback from a backup not fixing the issue.



  • I have tried running packet captures on the lan and wan interfaces.  If I am pinging from any lan interface, I can see the requests from the device I am pinging from on the associated Lan interface, however, there is nothing in the capture on the wan interface for these pings.  I updated my backup firewall the 2.2-Release and it is still having the issue.  I built a new firewall and restored the configuration to that(confirming that NAT was working on the new firewall before restoring my config from 3 days ago) and the issue was still there after it rebooted.  Currently I have placed my dev firewalls into production for the networks that are not functioning so I can be operational.  I do have several OpenVPN tunnels that are still active and working on the affected firewall cluster.






  • Last night I built a new virtual firewall to attempt restoring the config.  I took a snapshot of the firewall in vmware and loaded one piece of config at a time, rebooting between each piece.  When I got to the traffic shaper, I experienced the issue again.  So I looked further back in my backups and noticed a change that had been made back in January on the traffic shaper.  I created the shaper from the wizard when the firewall was first setup and had set the "then current" bandwidth limits for the wan interface.  In January, I upped the bandwidth to 50Mbps from 30028 Kbps(15Mbps).  I assume that the issue just decided not to show up until I rebooted the firewall last week.  I changed the setting back to the 30028Kbps and the CLI command "pfctl -sn" started showing my nat rules again.  However, I still cannot ping from the LAN interfaces to a public IP.  Packet captures on the wan interface do not show anything related to my test pings.  I have checked my policies and Nat rules and they all seem to be in check.  I'm not sure what else to look at.