1:1 NAT not forwarding traffic for one IP address



  • Hello

    I'm having a strange issue where my 1:1 NAT isn't working for one IP address, but all others are okay.  I've verified that this IP is reachable from the firewall with a ping/traceroute

    I have Snort installed but it is disabled, so I don't believe it's causing the issue.  I shouldn't be able to ping the IP if it's blocked.

    From a working IP address, I can see traffic hitting my WAN interface, followed by the LAN interface as it forwards the traffic to the internal host as expected.

    From the non-working IP address, I see the traffic hitting the WAN interface, but then it's not forwarding out the LAN interface to the internal host.  A packet capture on the internal host confirms that the traffic is not being forwarded.

    I enabled logging on the firewall rule and I can see the translation happening:

    
    clog -f /var/log/filter.log | grep $Bad_IP_Address
    Aug 27 11:25:05 wabe-fw-ext01 pf:     $Bad_IP_Address.52222 > 172.16.16.121.443: Flags [s], cksum 0x775e (correct), seq 4000306878, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    
    but it's not being forwarded out the LAN interface like one would expect.  The fact that it's working all other IP addresses should rule out all the usual troubleshooting steps for a broken NAT: rules, routes, etc.
    
    Any help would be greatly appreciated![/s]
    

  • Netgate

    The fact that it's working all other IP addresses should rule out all the usual troubleshooting steps for a broken NAT: rules, routes, etc.

    Why would you say that?  There's obviously something different in your rules somewhere for that IP address.

    Anything in your firewall logs indicating why it's being blocked?


  • Banned

    People, there's a fine GUI displaying the firewall logs. It also features this X button to show the rule responsible for blocking. Or, you can just configure it in setttings to always show that:

    Stop posting this unreadable raw logs shit.



  • I couldn't get the relevant messages to show up in the GUI.  Turns out it was the Bogon rule blocking the traffic, since it wasn't updating properly.