Not really SOLVED: Outbound NAT not working
-
Hi all,
I am facing a serious issue here….
My pfSense 2.2.2 does not NAT any more! Started hapening when upgrading from 2.2.1.
I can ping any internet host from the pfSense command line as well as through the Diagnostic -> ping menu. As soon as I set the source IP in the menu to one of my LAN the ping does not get through.
PacketCapture shows the ICMP echo request going out with the LAN addresses!
So obviously NAT is not working- even though it is enabled in the Firewall rules. I tried to switch to manual rules- same issue. Switched back to automated NAT. Still not working.
Anyone having an idea?
[Update]
Meanwhile I went to the shell/ CLI and figured out some commands (from here). pfctl -sn does not display any rules. Nor any -sr firewall rules. I guess I have to dig further. Any hints are welcome!Greetings
Christian
-
Hi,
after lots of digging I found a very common command to test the firewall rules are loaded successfully:
pfctl -f /tmp/rules.debugThis spit out loads of syntax errors. All in some way related to traffic shaper. I disabled the traffic shaper and reloaded the firewall through the above command.
AND IT WORKED!Great stuff, now going to re-configure traffic shaper
Greetings!
-
Just as an update:
the same happened now to a second pfSense box. NAT was not working despite everything configured properly.
Disabled traffic shaper and it worked.
Output from pfctl is:```
/tmp/rules.debug:73: errors in queue definition
parent qInternet not found for qACK
/tmp/rules.debug:74: errors in queue definition
parent qInternet not found for qDefault
/tmp/rules.debug:75: errors in queue definition
parent qInternet not found for qOthersHigh
/tmp/rules.debug:76: errors in queue definition
parent qInternet not found for qOthersLowAs this is not reliable I have to disable the traffic shaper now >:( Any idea why this is not working? -
Looks like a parent queue (qInternet) got deleted or failed to load somehow. You'll probably need to rebuild your queues. If you have a backup you might try restoring just the traffic shaper area. (back up your working config first.)
-
Hi,
it is for sure related to the traffic shaper. I do not mind re-configuring it as the config is still available (no need to back up in this case) and I can easily re-enable the traffic shaper.
Then it is working for a while and the fails again (happened at least twice with the inital pfSense machine).
I do not want to enable traffic shaper again as this might cause interruption with the internet connectivity…
What I am looking for are some detailed troubleshooting steps why the rules.debug gets corrupted. I can not image it is related to hardware failures....
-
I have seen this happen once before. It occurred when I was messing with the shaper, got it into a state in which it wouldn't load (like the percentages added up to more than 100%) then got distracted and went on to something else.
Then I wanted to add a port forward and it wouldn't take. Finally checked my rules with pfctl like you did and saw the warnings familiar to everyone who has configured hfsc.
Fixed that and it was all working again.
It's unfortunate that the only time you see the queue loading errors is when your configuring queues.
The rules reloading later don't generate any feedback and pretty much silently fail.
I don't believe my circumstance as something that will just fail later out-of-the-blue. It was 100% caused by me and 100% correctable.
