On Mon, 20 Feb 2012 15:06:42 +0100 Oliver Schad <[email protected]> (by way of Oliver Schad <[email protected]>) (by way of Oliver Schad <[email protected]>) wrote:
> I don't get it - why can I ping an external IP inside a LAN which uses > NAT reflection but I can't use TCP? > > The target addresses of the ICMP packets are rewritten to the internal > one and the traffic goes through the pfSense FW on the ethernet level > (I can see the MAC addresses of the pfsense FW on the target as > source). > > Is this stuff filtered in a special way? Does somebody have a hint to > debug this? Ok, there are more things strange: with https the traffic is redirected internally, means the traffic is sent from the requesting host to it's gateway, because the destination IP, which is reflected, is outside. The gateway sent the packet back to the destination (which is internal - that's the reason I use NAT reflection), rewrites the destination to the internal address but still uses the internal source address. So the answer goes direct to the source and not back again through the gateway which means the answering IP for the http client is not the requested IP which means the answer is rejected. If I use http instead https the packet goes initially again to the gateway, cause the destination is still outside the internal LAN. The gateway sents this traffic to the external interface and does no NAT reflection. WTF? For NAT Reflection the gateway should always rewrite the source address of the client because it's the only way to respond with the correct IP (the server can't know the correct IP address because the destination IP was rewritten, so it looks like a normal internal request). And why does in a 1:1 NAT setup https and http behave different (but both behaviours doesn't work). What did I do wrong? Any suggestions? Regards Oli
signature.asc
Description: PGP signature
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
