NAT Reflection broken since upgrade to 2.2
-
I just upgraded from 2.1.5 to 2.2 and NAT reflection stopped working.
I previously had it set to "NAT + Proxy", but have tried "Pure NAT" as well. I have two WANs, and neither of them is reflecting.
Any ideas or suggestions on how to diagnose this problem?
-
Do you have limiters in place?
-
@doktornotor if by limiter you mean Firewall -> Traffic Shaper -> Limiter then no, I don't have any.
-
I installed pfSense 2.2 brand new to migrate away from my EdgeRouter Lite and I also cannot get NAT reflection to work. I know my setup is pretty simple. 1 WAN, 1 LAN, 8 or so NATs, DYNDns. I've got an inkling it has something to do with the DNS Resolver setup but I'm not very familiar with how it works to know for sure.
Are there any specific logs to look in? I don't see packets being dropped by the firewall.
-
What would the resolver have to do with nat reflection??
So I am running 2.2.2, I just created a nat for :8080 to go to 192.168.1.14:80, when I created the nat I picked nat+proxy.. Sure seems to work here. As you can see I have my browser hitting my public IP on port 8080 and getting the page served by my local box on 192.168.1.14:80
Why don't you post up your rules for wan and and your nat and we can take a look see what might be going wrong.
-
@johnpoz I have a lot of rules as you can see from the attached screen shot. I included the config file as well.
Thanks for your help.
-
Yuck… Eeeeew. Yikes. :o
Don't have time for this, good luck. On a quick note, WTH is that "- 10" destination port?
-
Why would you send 80 to RDP port 3389?? RDP can use udp so that for sure could have issues.
Also seeing that your blocking rfc1918 on your wan.. So coming from a rfc1918 address, hitting your public - I would think that would be blocked right there from nat reflection working.
-
@johnpoz The reason I send 80->RDP is that I sometimes have to access RDP from networks that stupidly block everything but 80 and 443. It's a simple yet effective hack.
I removed both the rfc1918 and the bogon blocks on WAN (they were already off for my secondary WAN_ADSL) and it had no effect.
I just noticed that in NAT+Proxy mode sometimes a little bit comes through (e.g. on an HTTP connection some of a page will start loading and then fail). I'm wondering if the Proxy app is crashing or not working properly. Is there any way to diagnose this?
-
Do those rules even get loaded? I cannot see how's -10 a valid destination port.
-
@doktornotor That's a very old rule that probably got corrupted by upgrading pfSense over the years. I deleted it and it made no difference.
-
With the amount of port forwards, I would not touch the NAT + proxy stuff at all.
The NAT + proxy mode uses a helper program to send packets to the target of the port forward. It is useful in setups where the interface and/or gateway IP used for communication with the target cannot be accurately determined at the time the rules are loaded. Reflection rules are not created for ranges larger than 500 ports and will not be used for more than 1000 ports total between all port forwards. Only TCP and UDP protocols are supported.
Also, the stuff looks just all wrong??? Look at the NAT ports. 25 -> *; 443 -> *; 993 -> * ?! Etc. WTH.
-
@doktornotor I have no particular affinity for proxy mode, that's simply what used to work. I agree that Pure NAT is the better way to go, but I have no idea where to begin with diagnosing the fact that it doesn't work.
-
See the previous post! Why is there "any" (*) in the NAT ports? That's just not right. You should set the Redirect target port properly. This seems even impossible to set up via the GUI.
-
yeah you can not have * for dest nat port and expect it to work..
Clean all that nonsense and which reflection is not working..
You want the correct way to admin your network when they only allow 80 and 443.. You VPN over 443 and there you go full access to anything you need on your network..
-
@doktornotor, @johnpoz Thanks for pointing out the * in the NAT rules. I'm not sure how that happened but I went through them all and fixed them. It still didn't help.
-
Well, I simply do not think your configuration state is anywhere near sane. Things like the above are really impossible to configure via the GUI. God knows what else got screwed. Would flush this down the drain and restart from scratch.
