Project

General

Profile

Actions

Bug #2777

closed

NAT-Port forwarding dont work in Multi-WAN configuration, if the first WAN Interface have an higher Tier.

Added by Marvin Klose almost 12 years ago. Updated over 9 years ago.

Status:
Rejected
Priority:
High
Assignee:
-
Category:
Multi-WAN
Target version:
-
Start date:
01/24/2013
Due date:
% Done:

0%

Estimated time:
1.00 h
Plus Target Version:
Release Notes:
Affected Version:
2.0.x
Affected Architecture:

Description

Nat(Port-forwarding) dont work with Multi-Wan, when the First WAN1-Interface has an higher Priotiy(Tier) or no Gateway Group is used and the first WAN1 is set as default.
If i use the WAN2 interface as default or higher Tier everything is ok.
I solved the problem for me, by switching the assignment from the both WAN Interfaces.
I think that if the WAN1 is default or higher, that Traffic always leave the Pfsene over it.
With WAN2 as default oder higher Tier, it leaves it there from where it comes.
With the same Tier on both Interfaces it works, too.

Actions #1

Updated by Jim Pingle almost 12 years ago

  • Status changed from New to Rejected

Port Forwarding (inbound) has nothing to do with Gateway Groups (outbound).

Please post in the forum for a more thorough diagnosis to rule out a configuration error before opening a ticket.

Actions #2

Updated by Anonymous almost 12 years ago

I have had the exact same issue. So we already know it's multiple affected users.

The issue is in the default routing table of PFsense.(my guess)

When you got to Diagnostics: Routing tables ; Look at your first IPV4 default route. You will notice the gateway IP will be your 'WAN' Connection ( The Default NIC that PFSense sets in the initial setup as your 'WAN').

The issue that is at hand when you are trying to NAT and have a Gateway Group that is using load balancing with 2 WAN gateways set as Tier 1 ..

SERVER 1 (Port80) ---------------> ----Tier 1----------> 'WAN'
SWITCH -----------> PFSENSE
SERVER 2 (Port80) ---------------> ----Tier 1----------> 'OPT1'

Now when you have have this config , and you check to see if the port is open. It will be open on 'WAN'. Now no matter what you check or what I do , I have been unable to have the port open on 'OPT1'. Now the only way I have fixed this issue, Same with Marv above.. If you set the 'OPT1' Gateway as default , check the port. It will be open. Go back , Un-default 'OPT1' so there is no default again. Just as the Multiwan Gateway load balance should be. It will work work. You can also refer to my post. http://forum.pfsense.org/index.php/topic,57927.0.html

This is a BUG , Please do not disregard

Actions #3

Updated by Jim Pingle almost 12 years ago

Please discuss it on the forum until a developer confirms a bug exists.

You still could have a configuration issue (e.g. You don't have the gateway selected on the Interface screen, resulting in a lack of reply-to on the rules, or you have reply-to disabled for some reason).

Actions #4

Updated by Anonymous almost 12 years ago

Ok , So you know what. That's fine. You guy's dont think it's a bug.. It's pathetic PFSense is the most powerful open source firewall but when ignorance like this is taken, It makes me have very little faith in the open source community.

TAKE IT TO THE LAB AND PROVE ITS NOT A BUG. I Have taken this to the lab for over 3 weeks, and Marv here also. I know for a fact we 2 are not the only users that have had this issue.

Dont Trust me Jim..Go test it yourself this is NOT A configuration issue. Go see my post , reply 10 with that config it works. And will work the first time no issue, then if you make a change in the config the only way to get NAT to work on both WAN ip's is ff you go to your system gateways, select the OPT1 interface, and make that default gateway, save go back un default it so now you have no defaults. and NAT will work again

IF THATS NOT A BUG, then I need to go back and re-educate myself ;)

Actions #5

Updated by Jim Pingle almost 12 years ago

Robert Stefanovic wrote:

Ok , So you know what. That's fine. You guy's dont think it's a bug.. It's pathetic PFSense is the most powerful open source firewall but when ignorance like this is taken, It makes me have very little faith in the open source community.

The main problem is that you're not following procedure or listening to what I'm saying here. There is no link to the forum post on the ticket, so no context. There was, until late last night, no developer commenting on the thread that I just happened to stumble upon in the forum.

TAKE IT TO THE LAB AND PROVE ITS NOT A BUG. I Have taken this to the lab for over 3 weeks, and Marv here also.

The burden is not on the developers to prove it's not a bug. We can't test every possible combination of configuration options. We need as much detail as possible about a person's config to narrow things down, and there are key parts missing from the forum post.

I know for a fact we 2 are not the only users that have had this issue.

I only see you and the other guy in the thread. Where are the others? I set this up several times every week for customers, and there are hundreds/thousands of them working fine.

Dont Trust me Jim..Go test it yourself this is NOT A configuration issue. Go see my post , reply 10 with that config it works. And will work the first time no issue, then if you make a change in the config the only way to get NAT to work on both WAN ip's is ff you go to your system gateways, select the OPT1 interface, and make that default gateway, save go back un default it so now you have no defaults. and NAT will work again

There is no copy of the raw config.xml or /tmp/rules.debug to test it myself.

IF THATS NOT A BUG, then I need to go back and re-educate myself ;)

If what the last posts on the thread indicate is true, it is a configuration issue. Not a bug. Don't use 'rdr pass' for multi-wan port forwards.

But the real issue here is that this discussion belongs on the forum until a developer confirms if it's a bug of not. There is not enough raw info on the thread to tell anything definitively. Opening a ticket was premature. If we get info that does confirm it's a bug, then we can open a ticket. But that's the proper procedure.

Actions #6

Updated by Anonymous almost 12 years ago

  • File config.xml added
  • File rules.debug added

Here is my raw config.xml & /tmp/rules.debug

http://m37offroading.ca/PFSENSE/config.xml

http://m37offroading.ca/PFSENSE/rules.debug

I have also uploaded them here. I will get you copies of the failed config.xml and rules.debug by Monday.

Actions #7

Updated by Chris Buechler almost 12 years ago

  • File deleted (config.xml)
Actions #8

Updated by Chris Buechler almost 12 years ago

  • File deleted (rules.debug)
Actions #9

Updated by Anonymous over 11 years ago

I have the same problem. Port forwards from a secondary gateway DON'T work. They only work if the default route is the same gateway as the port forward.

Here is a form link where no one has responded:
[[http://forum.pfsense.org/index.php/topic,64548.0.html]]

Actions #10

Updated by Chris Buechler over 9 years ago

  • Target version deleted (2.1)
Actions

Also available in: Atom PDF