Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Outbound NAT issue

    NAT
    2
    4
    756
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bullet92
      last edited by

      Hi to all.
      I have a outbound NAT to my VPN net for a port forward coming from WAN. I have this issue: apparently randomly some IPs are NOT outbound natted trhough the VPN and packet capture VPN-side shows that.

      13:56:40.132673 IP (tos 0x0, ttl 244, id 10359, offset 0, flags [none], proto UDP (17), length 54)
    10.10.10.1.11291 > 10.10.10.2.9001: [udp sum ok] UDP, length 26
13:56:40.174422 IP (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto UDP (17), length 36)
    10.10.10.2.9001 > 10.10.10.1.11291: [udp sum ok] UDP, length 8
13:56:43.205114 IP (tos 0x0, ttl 243, id 184, offset 0, flags [none], proto UDP (17), length 50)
    151.72.246.XX.8001 > 10.10.10.2.9001: [udp sum ok] UDP, length 22
13:56:51.602310 IP (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto UDP (17), length 29)
    10.10.10.2.9001 > 10.10.10.1.11291: [udp sum ok] UDP, length 1
13:56:51.602843 IP (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto UDP (17), length 29)
    10.10.10.2.9001 > 10.10.10.1.1024: [udp sum ok] UDP, length 1

      10.10.10.1 IP VPN "gateway"
      10.10.10.2 IP VPN client
      151.72.246.XX IP NOT NATTED

      My pfSense version is a 2.2 updated from 2-RELEASE that have the same issue.

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        How is your outbound NAT configured?

        1 Reply Last reply Reply Quote 0
        • B
          bullet92
          last edited by

          The problem was the static port mapping for outbound NAT. This happen bacause i receive multiple connection of a software that open connection with static port: 8001 source port and 9001 destination port. When multiple connection come from a simple router that doesnt change the source port (like pfsense can do) in my WAN i have:

          
SOURCE DESTINATION
IP1:8001 IP-WAN:9001
IP2:8001 IP-WAN:9001
IP3:8001 IP-WAN:9001

          With outbound NAT (and static port enabled) this packet should goes out like this:

          
SOURCE DESTINATION
IP-VPN:8001 IP-VPN2:9001
IP-NOTNATTED:8001 IP-VPN2:9001
IP-NOTNATTED:8001 IP-VPN2:9001

IP-VPN2 = IP destination of port forward

          If pfSense NAT the next packet, the state table will be broken because it cant recognize connection with same source IP&port and same destination IP&port.

          So disable static port in outbound NAT resolve my issue (i have enabled it because i wrongly think my application need it).
          However i was expected that in this situation static port will stops to work and not NAT! Am I wrong?

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            In that case, yes, you must have the default of leaving static port disabled. Otherwise in that circumstance, which is atypical as most commonly used things today randomize source ports, only the first internal IP going out to the same external IP and port with the same IP translation will work. The others end up having their reply traffic sent back to the first, or dropped as not matching the state potentially.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.