Project

General

Profile

Bug #969

NAT rdr work only on one interface

Added by Mike Stupalov over 8 years ago. Updated over 8 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Rules/NAT
Target version:
Start date:
10/23/2010
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.0
Affected Architecture:

Description

Pfsence version:

2.0-BETA4 (i386)
built on Fri Oct 22 10:39:54 EDT 2010
FreeBSD totoro.office.p8.ru 8.1-RELEASE-p1 FreeBSD 8.1-RELEASE-p1 #1: Fri Oct 22 10:36:08 EDT 2010 sullrich@FreeBSD_8.0_pfSense_2.0-snaps.pfsense.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_SMP.8 i386

I have 2 WAN connection (WAN, WAN_PROMETEY), configured over VLANs. (And 1 LAN connections):

em1_vlan302: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=3<RXCSUM,TXCSUM>
    ether 00:30:48:8b:4f:2d
    inet6 fe80::211:95ff:fe1d:2644%em1_vlan302 prefixlen 64 scopeid 0x8 
    inet 212.116.101.94 netmask 0xffffffe0 broadcast 212.116.101.95
    inet 212.116.101.70 netmask 0xffffffff broadcast 212.116.101.70
    inet 212.116.101.71 netmask 0xffffffff broadcast 212.116.101.71
    inet 212.116.101.72 netmask 0xffffffff broadcast 212.116.101.72
    nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
    media: Ethernet autoselect (100baseTX <full-duplex>)
    status: active
    vlan: 302 parent interface: em1
em1_vlan300: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=3<RXCSUM,TXCSUM>
    ether 00:30:48:8b:4f:2d
    inet6 fe80::211:95ff:fe1d:2644%em1_vlan300 prefixlen 64 scopeid 0x9 
    inet 77.222.44.10 netmask 0xfffffff0 broadcast 77.222.44.15
    inet 77.222.44.12 netmask 0xffffffff broadcast 77.222.44.12
    inet 77.222.44.8 netmask 0xffffffff broadcast 77.222.44.8
    inet 77.222.44.9 netmask 0xffffffff broadcast 77.222.44.9
    inet 77.222.44.6 netmask 0xffffffff broadcast 77.222.44.6
    inet 77.222.44.5 netmask 0xffffffff broadcast 77.222.44.5
    nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
    media: Ethernet autoselect (100baseTX <full-duplex>)
    status: active
    vlan: 300 parent interface: em1

I have created 2 identical NAT rdr rules for different interfaces:
If Proto Src. addr Src. ports Dest. addr Dest. ports NAT IP NAT Ports
WAN TCP * * 77.222.44.12 3333 Host_mike 22 (SSH)
WAN_PROMETEY TCP * * 212.116.101.72 3333 Host_mike 22 (SSH)

But as a result the second rule works only:

$ telnet 77.222.44.12 3333
Trying 77.222.44.12...
telnet: connect to address 77.222.44.12: Operation timed out
telnet: Unable to connect to remote host

$ telnet 212.116.101.72 3333
Trying 212.116.101.72...
Connected to 212.116.101.72.
Escape character is '^]'.
SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu4

And has ceased to work after one of the last updates (Rules didn't change for a long time).

rules.debug (20.9 KB) rules.debug Mike Stupalov, 10/23/2010 07:31 AM

History

#1 Updated by Ermal Lu├ži over 8 years ago

Can you show the /tmp/rules.debug

#2 Updated by Mike Stupalov over 8 years ago

Ok, see attach.

#3 Updated by Chris Buechler over 8 years ago

  • Status changed from New to Feedback
  • Priority changed from High to Normal
  • Target version set to 2.0

The rules are fine and rules and rdr definitely are working properly. Do a packet capture on WAN, LAN and the internal server and see where the traffic gets and doesn't get.

#4 Updated by ivan primus over 8 years ago

I can confirm this issue. I have 2 wan interfaces: WAN and WANTMP
WAN is default gateway. I did nat from WANTMP to lan ip address , and than packet capture.
Result is that gateway route lan ip answer through default gateway (WAN)

Packet capture on WANTMP:
11:49:52.202929 IP 78.1.96.62.49391 > 85.114.55.134.80: tcp 0
11:49:55.217386 IP 78.1.96.62.49391 > 85.114.55.134.80: tcp 0

Packet capture on WAN:
11:43:49.328771 IP 192.168.100.111.80 > 78.1.96.62.49218: tcp 0
11:43:52.258881 IP 192.168.100.111.80 > 78.1.96.62.49218: tcp 0

Hope this helps

#5 Updated by Pho Bia over 8 years ago

Hello,

I am also seeing this with my 3 WAN setup.

I have a port forwarded on all 3 interfaces for FTP - it only seems to work for one at a time.

Also, I have a port opened on each interface (but not NATed) to allow SSH access to my PFSense from all WAN connections. It currently only works from one interface.

-- Phob

#6 Updated by ivan primus over 8 years ago

This is fixed with commits on #958 issue and I think it can be closed.

#7 Updated by Matt Corallo over 8 years ago

Confirmed fixed in the latest snapshots.

#8 Updated by Jim Pingle over 8 years ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF