Inbound Nat issues after upgrade to 2.2.1


  • Ok after the upgrade to 2.2.1 from 2.2.x  my inbound nat traffic is being blocked. Yesterday I noticed if i edited and saved the rule traffic started to flow again.  This happened both for Port Forwarding and 1 to 1 rules.

    Well come in this morning to fine that inbound FTP traffic is being blocked so I edited and than saved the rule and traffic started to flow again.

    here is a screen shot of the logs if that helps anyone.


  • Banned

    Kindly post the NAT/FW rules screenshot.


  • I think I had a similar problem but I have not yet risolved….


    I have a problem for a few days with a firewall on which it is set, using Virtual IP, a Port forwarding to FTP / Http
    I noticed the anomaly since I upgraded to version 2.2.
    In particular, the problem is on the FTP service (mod. Passive).
    I was hoping that among the various bugfixes of 2.2.1 there was the solution of my problems but nothing.

    I state that I have already tried with three different machines with the same results.
    Port forwarding rules, in Firewall> NAT are created and enforced properly so that the client can log in but, at the opening of the channel given ftp, not part of the data exchange (LIST command, I think) and the connection is broken.
    There are no packets dropped obviously.
    Other services listening on the same machine on port 80 0 3000 work perfectly.
    In the various tests I also tried with or without VIRTUAL IP.
    All this occurs when step from version 2.2 or 2.1.5 to 2.2.1 with the same machine and hardware.
    On one of the three test cars I reversed the network cards (a D-Link DGE-5820 PCI Realtek and an integrated SIS 191 chipset with both Gigabit).
    Unfortunately I do not have with me other network cards, Intel, for example, which try, assuming an incompatibility hw very remote, too, since I'm not just come out and chipsets that work perfectly with the previous version.


    Tks

  • Banned

    @a.palmucci:

    I think I had a similar problem but I have not yet risolved….

    No, you don't. Kindly start your own thread after reading the release notes and other docs.

    https://doc.pfsense.org/index.php/Upgrade_Guide#FTP_Proxy
    https://doc.pfsense.org/index.php/FTP_without_a_Proxy


  • Im seeing exactly the same issue as the o/p

    Open the nat rule, save, and its working again

    Only happened since going from 2.2 to 2.2.1


  • Any update on this? Still seeing this issue on 2.2.2


  • OP's issue is pretty clear from the screenshot. The passed FTP shows the destination of a private IP, so it hit a port forward. The blocked traffic has a destination of a public IP, meaning it doesn't have a matching port forward or 1:1 NAT. That didn't change after upgrading, something wasn't right with that additional public IP to begin with.

    Given the thread's been dead for a month with no response from OP, he/she probably found where the port forward didn't exist for that VIP and added it.

    The "me too" posters, you almost certainly don't have the same issue (for one, you probably don't have multiple public IPs). Please start your own thread describing your issue and we can help there.

    Locking this to prevent further hijacking.

    Those having FTP trouble, please see:
    https://doc.pfsense.org/index.php/Upgrade_Guide#FTP_Proxy
    https://doc.pfsense.org/index.php/FTP_without_a_Proxy