1:1 testing - no joy



  • Hi all. I am looking to replace our ageing ISA 2006 box with a pfSense implementation.

    Our set up is LAN - WAN - (magic :)) - Internet.

    The LAN is in my control. The WAN is shared control of which I have a subnet of IPs assigned.

    I require the feature of being able to add network listeners or 1:1 NAT to map some addresses in the WAN space (172.25.32.0 /21) to addresses in the LAN (10.10.0.0 /18) for some equipment that needs to be accessed on both networks, which ISA supports.

    I am trying to test this feature on pfSense by assigning an unused WAN IP to the LAN IP of a webserver, so in theory I can access the designated WAN IP over http and I get the LAN webserver, but I'm having no luck so far.

    I have a fresh install of pfSense 2.2.4 which is working; I can route out to the upstream gateway and the internet using pfSense with no problem.

    I have tried setting up 1:1 NAT in several ways:

    • Virtual WAN IP assigned to WAN interface

    • WAN IP assigned to OPT1

    • Virtual IP assigned to OPT1

    I have disabled the Block private networks option for WAN and OPT1.

    I have tried the above with Enable NAT Reflection for 1:1 NAT enabled and disabled, manually creating a firewall rule for TCP port 80.

    I have also created an any / any / any pass rule on the WAN and OPT1 interface just to make sure it's not a firewall issue.

    One thing I have noticed is that I am able to ping the WAN IP that I set up for 1:1 (virtual or OPT1 IP), but once I set up the 1:1 rule, the IP stops responding to pings. When I remove the rule it resumes. I'm a bit confused by this.

    If you can give me any help I'd appreciate it - I'm not very experienced in troubleshooting routing issues. If I can get this to work I'm planning to get on one of the pfSense university courses to further my knowledge!


  • LAYER 8 Global Moderator

    So firewall on the device your sending the traffic too on your 1:1  does it allow answer to ping, does it allow access to what your sending it?

    "Enable NAT Reflection for 1:1 NAT"

    WTF would that have to do with anything??

    "WAN IP assigned to OPT1
    Virtual IP assigned to OPT1"

    Again WTF – so you just don't have clue one and your randomly clicking shit??  Is that the plan??

    So you have a /18 on your lan interface of pfsense??  Or do you have downstream routers your trying to send this 1:1 too?  /18 is pretty freaking HUGE broadcast domain - I would hope your breaking that /18 up into other segments which would mean downstream routers??

    If your WAN is rfc1918 space..  Why are you natting??  Are you even??  Why??  Do other locations also have a 10/18 so your out of rfc1918 space that is why you have to nat?  So you have a /21 in 172.25 your talking 2000 IPs -- do you have that many devices? I would think with /18 you must have thousands??? Somewhere over 2k and under 16k??

    Why is your /18 not just routed to you.. And then you firewall what can and can not talk to your devices on your 10/18 and you don't have to worry about any 1:1 nat or nat at all..  Then your not double natting when devices talk to the internet??  None of these devices could see inbound internet traffic without who controls the wan/internet connection forwarding that traffic to your /21 address, just so you can again forward it in with yet another nat to your /18 address..  Seems like a complete utter cluster of a network...

    Have you looked at
    https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

    Have you sniffed at wan and seen the traffic to your 1:1, and then see it leave your lan interface with sniff?  If leaves your lan to the client your sending.. Does he get it, if so why does not answer??

    Sorry if any of the above was a bit harsh...  But sometimes I just WTF are people doing???  Why are you natting from rfc1918 to 1918 space???  Why are the networks not just routed to you if your all on rfc1918 space??  etc..  Its like the guy that designed it got the job because he had wifi router at home first, so he became the network arch...



  • @johnpoz:

    Have you looked at https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

    I realised that I had missed reconfiguring the LAN webserver's gateway to pfSense. Thanks for your help.


  • LAYER 8 Global Moderator

    Oh you mean the clicking random shit like nat reflection use 1:1 didn't fix it ;) heheheh  But going down your setup and checking it point by point to find out where you made a mistake.. That worked – who would of thunk it ROFL

    Have fun!


Log in to reply