1:1 nat problem



  • Hi

    Got some problems when adding a 1:1 nat translation, when i add it it cant access the internet anymore. Pings go out, comes back to the pfsense router but doesnt go to the dmz. Locally it works fine.

    The nat rule is like this:
    Interface - WAN
    External IP - 192.123.234.230/32
    Internal IP - 192.168.2.230/32

    Filters on all interfaces are set to allow everything, incase it was that.

    ASCIIART:
    WAN (192.123.234.224/28)
    |
    |11
    PFsense –- DMZ (192.168.2.0/24)
    |
    |
    LAN with several subnets

    Internet works just fine before the nat rule, whatismyip.com shows the pfsense external as it should, but when i add the nat rule it cant ping outside the pfsense external interface anymore.

    Ive followed this: http://doc.m0n0.ch/handbook-single/#id2604955



  • Do you mean you loose access to the internet from this IP in particular or from the whole rest behind pfSense?

    If you 1:1 NAT something you cannot use that IP for anything else.



  • @GruensFroeschli:

    Do you mean you loose access to the internet from this IP in particular or from the whole rest behind pfSense?

    If you 1:1 NAT something you cannot use that IP for anything else.

    Only to the server that i do the nat to, the rest can access it and so can other servers in the dmz.

    If i ping my internet gateway and use packet capture on the wan interface it goes out, and a reply comes back. But i can only see the requests on the dmz interface.



  • Hmm.
    How exactly does your "allow everything" rule look like? (screenshot)



  • @GruensFroeschli:

    Hmm.
    How exactly does your "allow everything" rule look like? (screenshot)

    http://fsmedh.zapto.org/data/af.JPG

    Ive tried with * instead of ! LAN, but it shouldnt matter anyway. Theres a rule like this on every interface, cept * instead of ! LAN



  • From what do you 1:1 NAT this?

    Did you create a VIP on the WAN?
    Or do you have a single WAN-IP and use this one? (<– This shouldn't work)



  • @GruensFroeschli:

    From what do you 1:1 NAT this?

    Did you create a VIP on the WAN?
    Or do you have a single WAN-IP and use this one? (<– This shouldn't work)

    I have a /28 range of IPs. I use .226 on the external interface, .225 is my gateway. Im trying to use .230 external to 192.168.2.230 internal 1:1 nat.

    I havent created any VIP.



  • @yourpfSensebox/firewall_nat_1to1.php:

    Depending on the way your WAN connection is setup, you may also need a Virtual IP.

    You need a VIP.
    Otherwise you're trying to 1:1 NAT from an IP that does not exist ;)



  • @GruensFroeschli:

    @yourpfSensebox/firewall_nat_1to1.php:

    Depending on the way your WAN connection is setup, you may also need a Virtual IP.

    You need a VIP.
    Otherwise you're trying to 1:1 NAT from an IP that does not exist ;)

    Ok, so i add a virtual ip with the nat address i wanna use and then the 1:1 nat?

    EDIT: Doesnt seem to work. I tried VIP on both the dmz and wan interface, same thing.



  • Test-system:
    WAN: 192.168.20.5/29
    LAN: 10.0.0.0/24
    Server: 10.0.0.12

    1: create VIP.
    2: create 1:1 mapping
    3: create firewall rules on LAN and WAN to allow traffic from and to the server IP.



Locked