Project

General

Profile

Actions

Bug #6126

closed

NAT issue unsure if inbound, outbound or both

Added by Xuridisa Support over 8 years ago. Updated over 8 years ago.

Status:
Duplicate
Priority:
Normal
Category:
Virtual IP Addresses
Target version:
-
Start date:
04/12/2016
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:
amd64

Description

I have a simple config whereby inbound NAT redirects tcp/443 traffic to a web server. Additionally I have an outbound NAT rule that translates traffic originating from the web server to the same external address as the inbound rule. The rules specific to hosts, described by aliases, are listed before a generic rule for the network. This configuration worked perfectly in 2.2. After an upgrade this is no longer working at all, and for the time being I have reverted to 2.2 again to retain functional.

I have also tested changing the aliases to specific IP addresses, which does not change functionality.

I expect you'll have many reports of this sort of issue so logged as high priority. Certainly for me (a long time pfSense user - from 1.0 days even :) ) it renders the 2.3 release unusable at the moment.

Actions #1

Updated by Chris Buechler over 8 years ago

  • Status changed from New to Feedback
  • Priority changed from Urgent to Normal

going to have to give us something more than that. Inbound and outbound NAT in general all works fine. What specifically doesn't work? No inbound, no outbound, neither? Traffic being passed? What do the states look like?

Actions #2

Updated by Xuridisa Support over 8 years ago

On reflection I consider it a simple config, but in actual fact it perhaps isn't :)

I am running two node CARP with a /29. There are IP Aliases which are associated with a CARP WAN VIP.

On further diagnostics it appears that the issue may be related to the IP Aliases on the CARP WAN VIP. I say this because it seems that inbound and outbound NAT seem to work fine on the WAN CARP address, but not on the WAN IP Alias.

Hopefully that helps?

Actions #3

Updated by Chris Buechler over 8 years ago

  • Category changed from Rules / NAT to Virtual IP Addresses
  • Assignee set to Chris Buechler

Sounds like an issue of some sort with the virtual IP. But IP aliases on CARP IPs works fine. It requires a config upgrade to change to the _vip uniqid values, which has been tested to work, but might be an edge case issue there.

could you get me into your system? Direct or screen share. Email me if so, cmb at pfsense dot org.

Actions #4

Updated by Xuridisa Support over 8 years ago

A bit more of an update.

I have upgraded both nodes again directly from 2.2.6 to 2.3. Everything (as it has done previously also) works immediately after the upgrade. After a period (unsure of duration) it has previously stopped working. Even after a reboot of the nodes it did not resume working. It is at this point that I previously reverted back to 2.2.6.

From your note I have gone and reentered, using the same values, the passwords for each of the 9 VIPs.

I'll provide an update later today or tomorrow to indicate if the system is still working, or if it stops again.

Actions #5

Updated by Xuridisa Support over 8 years ago

Has suddenly stopped working again. Seemed to have been find for around 6 hours. Very interesting?

i should also add that both nodes have been rebooted and this does not resolve the issue.

Additional detail. I actually stopped the slave node, and rebooted the primary, same issue. Was interested to see if something may have been retained by the primary or slave remaining available.

Actions #6

Updated by Chris Buechler over 8 years ago

  • Status changed from Feedback to Duplicate
  • Affected Version deleted (2.3)

worked with Andrew on this, the root cause is #6164

Actions #7

Updated by Xuridisa Support over 8 years ago

All confirmed working still, after approx 12 hours. Was obviously the IP Aliases being disassociated with the CARP VIP parent.

Actions

Also available in: Atom PDF