> On Feb 15, 2018, at 7:29 AM, ad^2 <adsquai...@gmail.com> wrote: > > Hello all, > > Objective - Connect to services from the Internet hosted on an internal > server assigned an RFC1918 address. > > pfSense version 2.4.2-RELEASE-p1 > > I have followed the instructions listed here - h_t_t_p_s:// > doc.pfsense.org/index.php/1:1_NAT > > [Setup] > > Firewall > Rules > WAN > protocol, source, port, destination, port, gateway, queue > IPv4, *, *, 192.168.1.10, *, *, none, > > Firewall > NAT > 1:1 > > Interface, External IP, Internal IP, Destination IP > WAN, <carp_vip_ip>, 192.168.1.10, * > > Problem: Packets returning from 192.168.1.10 stop at the 192.168.1 LAN side > of the pfSense server never leaving the WAN side. > > [TEST] > > Internet Test Server initiates an SSH connection to the CARP VIP: ssh > <carp_vip> > > Packet Trace: > > [TCPDUMP on the 192.168.1.10 Server] - SYN, SYN ACK > > 06:53:24.130161 IP <internet_test_server>.36896 > 192.168.1.10.22: Flags > [S], seq 650597210, win 29200, options [mss 1460,sackOK,TS val 953815939 > ecr 0,nop,wscale 7], length 0 > 06:53:24.130227 IP 192.168.1.10.22 > <internet_test_server>.36896: Flags > [S.], seq 1752400391, ack 650597211, win 28960, options [mss 1460,sackOK,TS > val 20074848 ecr 953815939,nop,wscale 7], length 0 > > [TCPDUMP on the pfSense Server LAN side (em2)] - SYN, SYN ACK > > 06:53:25.351889 IP <internet_test_server>.36896 > 192.168.1.10.22: Flags > [S], seq 650597210, win 29200, options [mss 1460,sackOK,TS val 953815939 > ecr 0,nop,wscale 7], length 0 > 06:53:25.353085 IP 192.168.1.10.22 > <internet_test_server>.36896: Flags > [S.], seq 1752400391, ack 650597211, win 28960, options [mss 1460,sackOK,TS > val 20074848 ecr 953815939,nop,wscale 7], length 0 > > [TCPDUMP on the pfSense Server WAN side (em1)] - SYN > > 06:53:25.351739 IP <internet_test_server>.36896 > <carp_vip>.22: Flags [S], > seq 650597210, win 29200, options [mss 1460,sackOK,TS val 953815939 ecr > 0,nop,wscale 7], length 0 > > Problem Note: Packets are not getting forwarded from the LAN interface out > the WAN interface >
I’d want to see the same captures including MAC addresses. Any firewall blocks logged on LAN there for TCP:SA from 192.168.1.10? Is this HA or did you just decide to use a CARP VIP on the WAN for the 1:1? Fairly comprehensive list of things to check here (Something like a captive portal active on LAN would look like that): https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
