On Wed, Jun 29, 2016 at 8:27 AM, Jean-Laurent Ivars
wrote:
> Hello Piba (and anyone else…)
>
> Sorry for not having answered before…
>
> To answer you questions, firstly, I’m not in a datacenter, only a client
> offices with different ISP.
>
> I agree with you double NAT is bad but you can’t alway get rid of it… and you
> should know that on one of my wan connexion I was technically able to make a
> bridge and I though the problem were the same with this connexion but in
> fact, my fault, bad setting, so with this connexion everything is working !
>
> So I stay with my third connexion witch is not working (double NAT) and only
> with this one, I can see traffic but it’s not working, so I gave a try with
> the flag you requested to try to give more information to understand what
> happens…
>
> from outside to 2223 portwitch is where SSH deamon is listening on the
> pfsense from OVH Connexion (double NAT) = not working
>
> 2.3.1-RELEASE][r...@pfsense.concorde-pereire.loc]/root: tcpdump -en -i re0
> port 2223
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on re0, link-type EN10MB (Ethernet), capture size 65535 bytes
> 14:42:56.509422 a4:b1:e9:f7:13:e8 > 00:0d:b9:33:7c:6c, ethertype IPv4
> (0x0800), length 66: 62.210.139.211.49236 > 192.168.101.254.2223: Flags [S],
> seq 2309097405, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK],
> length 0
> 14:42:56.509584 00:0d:b9:33:7c:6c > 24:95:04:fb:ae:90, ethertype IPv4
> (0x0800), length 66: 192.168.101.254.2223 > 62.210.139.211.49236: Flags [S.],
> seq 3034279515, ack 2309097406, win 65228, options [mss 1460,nop,wscale
> 7,sackOK,eol], length 0
> 14:42:59.509726 00:0d:b9:33:7c:6c > 24:95:04:fb:ae:90, ethertype IPv4
> (0x0800), length 66: 192.168.101.254.2223 > 62.210.139.211.49236: Flags [S.],
> seq 3034279515, ack 2309097406, win 65228, options [mss 1460,nop,wscale
> 7,sackOK,eol], length 0
> 14:42:59.529210 a4:b1:e9:f7:13:e8 > 00:0d:b9:33:7c:6c, ethertype IPv4
> (0x0800), length 66: 62.210.139.211.49236 > 192.168.101.254.2223: Flags [S],
> seq 2309097405, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK],
> length 0
>
>
> from outside to 2223 port witch is where SSH deamon is listening on the
> pfsense from SFR Connexion (double NAT) = working
>
> [2.3.1-RELEASE][r...@pfsense.concorde-pereire.loc]/root: tcpdump -en -i re0
> port 2223
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on re0, link-type EN10MB (Ethernet), capture size 65535 bytes
> 14:43:47.280639 24:95:04:fb:ae:90 > 00:0d:b9:33:7c:6c, ethertype IPv4
> (0x0800), length 66: 62.210.139.211.49239 > 192.168.101.254.2223: Flags [S],
> seq 2327707324, win 9652, options [mss 1460,wscale 3,sackOK,eol], length 0
> 14:43:47.280797 00:0d:b9:33:7c:6c > 24:95:04:fb:ae:90, ethertype IPv4
> (0x0800), length 66: 192.168.101.254.2223 > 62.210.139.211.49239: Flags [S.],
> seq 3881093896, ack 2327707325, win 65228, options [mss 1460,nop,wscale
> 7,sackOK,eol], length 0
> 14:43:47.311955 24:95:04:fb:ae:90 > 00:0d:b9:33:7c:6c, ethertype IPv4
> (0x0800), length 60: 62.210.139.211.49239 > 192.168.101.254.2223: Flags [.],
> ack 1, win 32850, length 0
> 14:43:47.322754 24:95:04:fb:ae:90 > 00:0d:b9:33:7c:6c, ethertype IPv4
> (0x0800), length 82: 62.210.139.211.49239 > 192.168.101.254.2223: Flags [P.],
> seq 1:29, ack 1, win 32850, length 28
> 14:43:47.322883 00:0d:b9:33:7c:6c > 24:95:04:fb:ae:90, ethertype IPv4
> (0x0800), length 54: 192.168.101.254.2223 > 62.210.139.211.49239: Flags [.],
> ack 29, win 513, length 0
> 14:43:47.343017 00:0d:b9:33:7c:6c > 24:95:04:fb:ae:90, ethertype IPv4
> (0x0800), length 75: 192.168.101.254.2223 > 62.210.139.211.49239: Flags [P.],
> seq 1:22, ack 29, win 513, length 21
>
>
> To the light of this new details, I can see that the pfsense is trying to
> respond to the bad mac address (the working connexion one) ! and that is the
> reason it’s not working ! So I had a look at the interface settings and I
> noticed that the mac address it tries to reply is the one selected here in
> the menu list, I have two since I have two gateway for one interface in the
> same private network space…
>
> First I want to tank you helping me clarifying what was going wrong (for the
> second pfsense installation it’s a bad coincidence the problem is with the
> modem configuration witch is defective)
>
> So my question now is : How can I set both the gateway to have the same
> priority or at least make the system answer to the address that initiate the
> connexion ?
>
Don't put two WANs on one interface, the reply-to rules can't properly
handle return routing in that case. Use another NIC or a VLAN for one
of them.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold