Summary: 1 LAN, 2 WAN, outbound traffic is de-NAT'd on one WAN interface, but not the other. pfSense-1.2.3-20090224-2349
I'm using pfSense-1.2.3-20090224-2349 because I ran into gmirror setup problems on 1.2.2. I was using a single pfsense box with a bunch of proxy arp, with a single physical external interface, and it was working fine. I want to move to a redundant pair with carp, and I'm having NAT problems. I added an additional external NIC, as carp addresses have to match the physical interface they are on. I'm in a colocation facility, and we have two different netblocks on the outside (WAN1 and WAN2), and a single network inside (10.2.1.0/24). The colo provides an ethernet drop with both external netblocks on it. I have a bunch of carp proxy addresses on the outside with 1:1 NAT. I can ssh in to my internal server from a remote network just fine. If I am on an external host in the WAN1 subnet, and ssh to an inside host through a carp external address in the WAN2 subnet, the packets get inside correctly, but the return packets from the inside host end up arriving back on the external host with the inside (rfc 1918) address, and go out through the WAN1 interface. i.e. - host ext1 on WAN1 - sends to carp2 on WAN2 which is 1:1 NAT'd to int2 on LAN - int2 (10.2.1.43) sends reply packet to ext1 - packet goes out the WAN1 interface (as ext1 is on that netblock) but does not get NAT'd, so host ext1 sees packets arriving from 10.2.1.43, not an external address I have two 1:1 NAT rules from carp2/int2 for WAN1 and WAN2, and two "advanced outbound NAT" rules from 10.2.1.0/24 to anywhere for WAN1 and WAN2. The traffic seems to come in fine through the WAN1/carp2/int2 1:1 NAT, but does not get NAT'd outbound, through either the 1:1 or outbound NAT rules. Removing the WAN/carp2/int2 1:1 NAT rule doesn't change the bahaviour. A slightly unusual situation I'll admit. Can anyone offer any help or suggestions? Thanks very much! John Sellens [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
