NAT rdr work only on one interface
2.0-BETA4 (i386) built on Fri Oct 22 10:39:54 EDT 2010 FreeBSD totoro.office.p8.ru 8.1-RELEASE-p1 FreeBSD 8.1-RELEASE-p1 #1: Fri Oct 22 10:36:08 EDT 2010 sullrich@FreeBSD_8.0_pfSense_2.0-snaps.pfsense.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_SMP.8 i386
I have 2 WAN connection (WAN, WAN_PROMETEY), configured over VLANs. (And 1 LAN connections):
em1_vlan302: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=3<RXCSUM,TXCSUM> ether 00:30:48:8b:4f:2d inet6 fe80::211:95ff:fe1d:2644%em1_vlan302 prefixlen 64 scopeid 0x8 inet 220.127.116.11 netmask 0xffffffe0 broadcast 18.104.22.168 inet 22.214.171.124 netmask 0xffffffff broadcast 126.96.36.199 inet 188.8.131.52 netmask 0xffffffff broadcast 184.108.40.206 inet 220.127.116.11 netmask 0xffffffff broadcast 18.104.22.168 nd6 options=3<PERFORMNUD,ACCEPT_RTADV> media: Ethernet autoselect (100baseTX <full-duplex>) status: active vlan: 302 parent interface: em1 em1_vlan300: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=3<RXCSUM,TXCSUM> ether 00:30:48:8b:4f:2d inet6 fe80::211:95ff:fe1d:2644%em1_vlan300 prefixlen 64 scopeid 0x9 inet 22.214.171.124 netmask 0xfffffff0 broadcast 126.96.36.199 inet 188.8.131.52 netmask 0xffffffff broadcast 184.108.40.206 inet 220.127.116.11 netmask 0xffffffff broadcast 18.104.22.168 inet 22.214.171.124 netmask 0xffffffff broadcast 126.96.36.199 inet 188.8.131.52 netmask 0xffffffff broadcast 184.108.40.206 inet 220.127.116.11 netmask 0xffffffff broadcast 18.104.22.168 nd6 options=3<PERFORMNUD,ACCEPT_RTADV> media: Ethernet autoselect (100baseTX <full-duplex>) status: active vlan: 300 parent interface: em1I have created 2 identical NAT rdr rules for different interfaces:
|If||Proto||Src. addr||Src. ports||Dest. addr||Dest. ports||NAT IP||NAT Ports|
But as a result the second rule works only:
$ telnet 22.214.171.124 3333 Trying 126.96.36.199... telnet: connect to address 188.8.131.52: Operation timed out telnet: Unable to connect to remote host
$ telnet 184.108.40.206 3333 Trying 220.127.116.11... Connected to 18.104.22.168. Escape character is '^]'. SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu4
And has ceased to work after one of the last updates (Rules didn't change for a long time).
#3 Updated by Chris Buechler over 8 years ago
- Status changed from New to Feedback
- Priority changed from High to Normal
- Target version set to 2.0
The rules are fine and rules and rdr definitely are working properly. Do a packet capture on WAN, LAN and the internal server and see where the traffic gets and doesn't get.
#4 Updated by ivan primus over 8 years ago
I can confirm this issue. I have 2 wan interfaces: WAN and WANTMP
WAN is default gateway. I did nat from WANTMP to lan ip address , and than packet capture.
Result is that gateway route lan ip answer through default gateway (WAN)
Packet capture on WANTMP:
11:49:52.202929 IP 22.214.171.124.49391 > 126.96.36.199.80: tcp 0
11:49:55.217386 IP 188.8.131.52.49391 > 184.108.40.206.80: tcp 0
Packet capture on WAN:
11:43:49.328771 IP 192.168.100.111.80 > 220.127.116.11.49218: tcp 0
11:43:52.258881 IP 192.168.100.111.80 > 18.104.22.168.49218: tcp 0
Hope this helps
#5 Updated by Pho Bia over 8 years ago
I am also seeing this with my 3 WAN setup.
I have a port forwarded on all 3 interfaces for FTP - it only seems to work for one at a time.
Also, I have a port opened on each interface (but not NATed) to allow SSH access to my PFSense from all WAN connections. It currently only works from one interface.