Port forward reply NAT not working.



  • Hi!

    First: sorry my english.

    i'm search the forum, but not success.

    I'm use Pfsense 2.2.6-Relase and create a port forwarding rule :

    –------> DROTTALAN UDP * * DROTTALAN address 20000 192.168.5.253 20000 portforward

    The 5.253 is a pfsense with an openvpn server on port 20000

    The linked rule exists:

    ---------> IPv4 UDP * * 192.168.5.253 20000 * none NAT portforward

    It's working until last week. But now:

    States:

    DROTTALAN udp 192.168.5.253:20000 (192.168.253.1:20000) <- 192.168.253.236:20000 MULTIPLE:MULTIPLE
    INFORMATIKA udp 192.168.253.236:20000 -> 192.168.5.253:20000 MULTIPLE:MULTIPLE

    Tcpdump:

    11:34:37.345780 IP 192.168.253.236.20000 > 192.168.253.1.20000: UDP, length 42
    11:34:37.354342 IP 192.168.5.253.20000 > 192.168.253.236.20000: UDP, length 54

    So the target is 253.1 the reply came from 5.253

    The pfsense not translating the reply's IP address. Why?

    Thanks the advance.


  • LAYER 8 Global Moderator

    so you have 2 pfsense, 1 behind the other.. Your forward shows its suppose to go to 5.253  Why are  you seeing tcp dump to .1 ?

    So your downstream pfsense is natting as well..  How do you get to 192.168.5 when it seems your on 192.168.253

    I would suggest you draw up your network..



  • @johnpoz:

    so you have 2 pfsense, 1 behind the other.. Your forward shows its suppose to go to 5.253  Why are  you seeing tcp dump to .1 ?

    So your downstream pfsense is natting as well..  How do you get to 192.168.5 when it seems your on 192.168.253

    I would suggest you draw up your network..

    Thanks the response.

    A schematics…

    dedicated
    vpn clients --- internet --- pfsense 5.253 ---- 5.254 pfsense 253.1 ---- MAN --- vpn clients
                                                                              |
                                                                              |
                                                                          internet

    The 5.253 pfsense a Dedicated VPN server with own dedicated internet. But we have a MAN network, (wifi network with multiple sites) that sites have vpns to 5.253. The main pfsense have standard internet to browsing and other "normal internet stuff" from the MAN need to access "normal" internet, and the dedicated pfsense. so need to port forward.

    The MAN is not "ours" then the routing and firewalling, is not adjustable for me. only the 253 network is routed.

    So a client from 253.236 send a packet to 253.1 the 253.1 portforward the packet to 5.253. the 5.253 answer this packet, and send to 253.1 then 253.1 send to 253.236 but the source address is 5.253.

    the 253 network not routing only the 253 network. so the 253.236 not reach 5.253, only 253.1.

    Maybe this clear the situlation.

    A some time ago have an another weird thing on main pfsense (that not natting now) the other vpn configs changed. (not by admin) the client's setup page's advanced box containment moved to server's advanced box. but this is an another story...


  • LAYER 8 Global Moderator

    so your downstream is not natting?  Where you move from rfc1918 to public is where you would need to nat, downstream stuff that is all rfc1918 does not have to nat.



  • Hi!

    Thanks to reply.

    So this is a new stuff in PfSense? This thing working almost a year. Last week happen something that cause some trubles.

    1, the openvpn configs broken,
    2, The 20000 port not nattig,
    3, the vlans working weird (but this is maybe a switch related problem)

    What changed?


  • LAYER 8 Netgate

    Did you make changes, upgrade, or anything?



  • Hi!

    Thanks to answer!

    No, only happen an unexpected blackout. But the rfc' s IMHO not an explanation. If i have an Internet connection to a router that have an internal network adress to internal interface. If i have more than one… So the natting can work with internal adresses. My linux routers manage that without any problem.

    i try:

    Delete, and readd rule.
    Restart server.
    natting other machines on route.

    Not working. i don't understand, why. The other port forwardings work. example: the 253.1 -> 127.0.0.1 is working (this is needed to multi input vpn) that interface is an Internet interface too but we not use this function.



  • @Aubete:

    Hi!

    Thanks to answer!

    No, only happen an unexpected blackout. But the rfc' s IMHO not an explanation. If i have an Internet connection to a router that have an internal network adress to internal interface. If i have more than one… So the natting can work with internal adresses. My linux routers manage that without any problem.

    i try:

    Delete, and readd rule.
    Restart server.
    natting other machines on route.

    Not working. i don't understand, why. The other port forwardings work. example: the 253.1 -> 127.0.0.1 is working (this is needed to multi input vpn) that interface is an Internet interface too but we not use this function.

    I try to explain the structure. See attached image. (fast work.. )

    ![vpn explanation.jpg_thumb](/public/imported_attachments/1/vpn explanation.jpg_thumb)
    ![vpn explanation.jpg](/public/imported_attachments/1/vpn explanation.jpg)



  • Bump!


  • LAYER 8 Netgate

    I don't know if it's the language barrier or too much information in the diagram but I can't get a handle on what is or is not working. Nor do I understand why NAT is involved on the inside at all.



  • Hi!

    Thanks the answer.

    So.. I ty again…

    Two type of sites are. One is DSL line they connected via public internet acces to vpn servers. The second is connect via Middle Aera Network (multi sites connected via wlan) to vpn servers.

    first pf-sense handle the database connection from sites. the second pf-sense handle the file related connections from sites. the first pf-sense have 2 internet connection, a MAN connection and several internal lan connection. The second pf-sense have a very fast internet connection, a connection to first pf sense and a connection to file servers.

    The MAN sites can't connect the internet only tough the first pf-sense.

    all sites must be connected both of PfSense. but the MAN sites can it only trough the first PfSense (that hande the MAN network).

    so the MAN network can't routing the second pf-sense's network, so the MAN sites can't reach them.

    Therefore the VPNs destination is the first PfSense's MAN interface. the first PfSense forwarding the port to second PfSense.

    The problem is, the second PfSense's response to MAN sites go trough the first PfSense but the first PfSense not translate the output packet source address to MAN interface's IP adress.

    The packet go trough the first PfS and go to a network than can't handle the second PfS IP address. therefore the MAN sites can't build the VPN connection.

    The diagram only the structure not showing the problem.


Log in to reply