Bug #969
closed
NAT rdr work only on one interface
0%
Description
Pfsence version:
2.0-BETA4 (i386) built on Fri Oct 22 10:39:54 EDT 2010 FreeBSD totoro.office.p8.ru 8.1-RELEASE-p1 FreeBSD 8.1-RELEASE-p1 #1: Fri Oct 22 10:36:08 EDT 2010 sullrich@FreeBSD_8.0_pfSense_2.0-snaps.pfsense.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_SMP.8 i386
I have 2 WAN connection (WAN, WAN_PROMETEY), configured over VLANs. (And 1 LAN connections):
em1_vlan302: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=3<RXCSUM,TXCSUM>
ether 00:30:48:8b:4f:2d
inet6 fe80::211:95ff:fe1d:2644%em1_vlan302 prefixlen 64 scopeid 0x8
inet 212.116.101.94 netmask 0xffffffe0 broadcast 212.116.101.95
inet 212.116.101.70 netmask 0xffffffff broadcast 212.116.101.70
inet 212.116.101.71 netmask 0xffffffff broadcast 212.116.101.71
inet 212.116.101.72 netmask 0xffffffff broadcast 212.116.101.72
nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
vlan: 302 parent interface: em1
em1_vlan300: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=3<RXCSUM,TXCSUM>
ether 00:30:48:8b:4f:2d
inet6 fe80::211:95ff:fe1d:2644%em1_vlan300 prefixlen 64 scopeid 0x9
inet 77.222.44.10 netmask 0xfffffff0 broadcast 77.222.44.15
inet 77.222.44.12 netmask 0xffffffff broadcast 77.222.44.12
inet 77.222.44.8 netmask 0xffffffff broadcast 77.222.44.8
inet 77.222.44.9 netmask 0xffffffff broadcast 77.222.44.9
inet 77.222.44.6 netmask 0xffffffff broadcast 77.222.44.6
inet 77.222.44.5 netmask 0xffffffff broadcast 77.222.44.5
nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
vlan: 300 parent interface: em1
I have created 2 identical NAT rdr rules for different interfaces:
| If | Proto | Src. addr | Src. ports | Dest. addr | Dest. ports | NAT IP | NAT Ports |
| WAN | TCP | * | * | 77.222.44.12 | 3333 | Host_mike | 22 (SSH) |
| WAN_PROMETEY | TCP | * | * | 212.116.101.72 | 3333 | Host_mike | 22 (SSH) |
But as a result the second rule works only:
$ telnet 77.222.44.12 3333 Trying 77.222.44.12... telnet: connect to address 77.222.44.12: Operation timed out telnet: Unable to connect to remote host
$ telnet 212.116.101.72 3333 Trying 212.116.101.72... Connected to 212.116.101.72. Escape character is '^]'. SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu4
And has ceased to work after one of the last updates (Rules didn't change for a long time).
Files
Updated by Ermal Luçi 
Updated by
Updated by Chris Buechler over 13 years ago
- Status changed from New to Feedback
- Priority changed from High to Normal
- Target version set to 2.0
The rules are fine and rules and rdr definitely are working properly. Do a packet capture on WAN, LAN and the internal server and see where the traffic gets and doesn't get.
Updated by ivan primus over 13 years ago
I can confirm this issue. I have 2 wan interfaces: WAN and WANTMP
WAN is default gateway. I did nat from WANTMP to lan ip address , and than packet capture.
Result is that gateway route lan ip answer through default gateway (WAN)
Packet capture on WANTMP:
11:49:52.202929 IP 78.1.96.62.49391 > 85.114.55.134.80: tcp 0
11:49:55.217386 IP 78.1.96.62.49391 > 85.114.55.134.80: tcp 0
Packet capture on WAN:
11:43:49.328771 IP 192.168.100.111.80 > 78.1.96.62.49218: tcp 0
11:43:52.258881 IP 192.168.100.111.80 > 78.1.96.62.49218: tcp 0
Hope this helps
Updated by Pho Bia over 13 years ago
Hello,
I am also seeing this with my 3 WAN setup.
I have a port forwarded on all 3 interfaces for FTP - it only seems to work for one at a time.
Also, I have a port opened on each interface (but not NATed) to allow SSH access to my PFSense from all WAN connections. It currently only works from one interface.
-- Phob
Updated by ivan primus over 13 years ago
This is fixed with commits on #958 issue and I think it can be closed.
Updated by Matt Corallo over 13 years ago
Confirmed fixed in the latest snapshots.
Updated by Jim Pingle over 13 years ago
- Status changed from Feedback to Resolved