On Wed, Jun 29, 2016 at 8:27 AM, Jean-Laurent Ivars <[email protected]> wrote: > Hello Piba (and anyone else…) > > Sorry for not having answered before… > > To answer you questions, firstly, I’m not in a datacenter, only a client > offices with different ISP. > > I agree with you double NAT is bad but you can’t alway get rid of it… and you > should know that on one of my wan connexion I was technically able to make a > bridge and I though the problem were the same with this connexion but in > fact, my fault, bad setting, so with this connexion everything is working ! > > So I stay with my third connexion witch is not working (double NAT) and only > with this one, I can see traffic but it’s not working, so I gave a try with > the flag you requested to try to give more information to understand what > happens… > > from outside to 2223 portwitch is where SSH deamon is listening on the > pfsense from OVH Connexion (double NAT) = not working > > 2.3.1-RELEASE][[email protected]]/root: tcpdump -en -i re0 > port 2223 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on re0, link-type EN10MB (Ethernet), capture size 65535 bytes > 14:42:56.509422 a4:b1:e9:f7:13:e8 > 00:0d:b9:33:7c:6c, ethertype IPv4 > (0x0800), length 66: 62.210.139.211.49236 > 192.168.101.254.2223: Flags [S], > seq 2309097405, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], > length 0 > 14:42:56.509584 00:0d:b9:33:7c:6c > 24:95:04:fb:ae:90, ethertype IPv4 > (0x0800), length 66: 192.168.101.254.2223 > 62.210.139.211.49236: Flags [S.], > seq 3034279515, ack 2309097406, win 65228, options [mss 1460,nop,wscale > 7,sackOK,eol], length 0 > 14:42:59.509726 00:0d:b9:33:7c:6c > 24:95:04:fb:ae:90, ethertype IPv4 > (0x0800), length 66: 192.168.101.254.2223 > 62.210.139.211.49236: Flags [S.], > seq 3034279515, ack 2309097406, win 65228, options [mss 1460,nop,wscale > 7,sackOK,eol], length 0 > 14:42:59.529210 a4:b1:e9:f7:13:e8 > 00:0d:b9:33:7c:6c, ethertype IPv4 > (0x0800), length 66: 62.210.139.211.49236 > 192.168.101.254.2223: Flags [S], > seq 2309097405, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], > length 0 > > > from outside to 2223 port witch is where SSH deamon is listening on the > pfsense from SFR Connexion (double NAT) = working > > [2.3.1-RELEASE][[email protected]]/root: tcpdump -en -i re0 > port 2223 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on re0, link-type EN10MB (Ethernet), capture size 65535 bytes > 14:43:47.280639 24:95:04:fb:ae:90 > 00:0d:b9:33:7c:6c, ethertype IPv4 > (0x0800), length 66: 62.210.139.211.49239 > 192.168.101.254.2223: Flags [S], > seq 2327707324, win 9652, options [mss 1460,wscale 3,sackOK,eol], length 0 > 14:43:47.280797 00:0d:b9:33:7c:6c > 24:95:04:fb:ae:90, ethertype IPv4 > (0x0800), length 66: 192.168.101.254.2223 > 62.210.139.211.49239: Flags [S.], > seq 3881093896, ack 2327707325, win 65228, options [mss 1460,nop,wscale > 7,sackOK,eol], length 0 > 14:43:47.311955 24:95:04:fb:ae:90 > 00:0d:b9:33:7c:6c, ethertype IPv4 > (0x0800), length 60: 62.210.139.211.49239 > 192.168.101.254.2223: Flags [.], > ack 1, win 32850, length 0 > 14:43:47.322754 24:95:04:fb:ae:90 > 00:0d:b9:33:7c:6c, ethertype IPv4 > (0x0800), length 82: 62.210.139.211.49239 > 192.168.101.254.2223: Flags [P.], > seq 1:29, ack 1, win 32850, length 28 > 14:43:47.322883 00:0d:b9:33:7c:6c > 24:95:04:fb:ae:90, ethertype IPv4 > (0x0800), length 54: 192.168.101.254.2223 > 62.210.139.211.49239: Flags [.], > ack 29, win 513, length 0 > 14:43:47.343017 00:0d:b9:33:7c:6c > 24:95:04:fb:ae:90, ethertype IPv4 > (0x0800), length 75: 192.168.101.254.2223 > 62.210.139.211.49239: Flags [P.], > seq 1:22, ack 29, win 513, length 21 > > > To the light of this new details, I can see that the pfsense is trying to > respond to the bad mac address (the working connexion one) ! and that is the > reason it’s not working ! So I had a look at the interface settings and I > noticed that the mac address it tries to reply is the one selected here in > the menu list, I have two since I have two gateway for one interface in the > same private network space… > > First I want to tank you helping me clarifying what was going wrong (for the > second pfsense installation it’s a bad coincidence the problem is with the > modem configuration witch is defective) > > So my question now is : How can I set both the gateway to have the same > priority or at least make the system answer to the address that initiate the > connexion ? >
Don't put two WANs on one interface, the reply-to rules can't properly handle return routing in that case. Use another NIC or a VLAN for one of them. _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
