Hi - I've done some more experimenting on this problem I ran into in March. Near as I can tell, 1:1 NAT fails sometimes, and will sometimes put internal addresses on the outside.
Using pfsense 1.2.3-RC1 (built on Wed Apr 22 15:36:34 EDT 2009) I see two failure modes for 1:1 NAT with dual WAN ports, one which is clearly failing, and one which looks wrong. I have two WAN networks - WAN1 and WAN2. I have an internal LAN host with a 1:1 NAT to a WAN1 address. I see this behaviour with a proxy arp virtual IP and with a carp virtual IP. If a host on WAN2 tries to TCP to the LAN host, the traffic goes in via WAN1 to LAN - as expected. But the replies from LAN to the WAN2 address: - go out the WAN2 firewall interface, when the 1:1 NAT should cause them to go out the WAN1 interface - and go out with the *internal* address - so the originating host on WAN2 sees reply packets with the internal address on them, and (rightly) rejects them This is clearly incorrect behaviour - the internal addresses should not show up on the outside. And I would expect the 1:1 NAT rule to send all traffic from the LAN host out the WAN1 port (where the 1:1 NAT mapping is), regardless of the destionation. The second unexpected behaviour: if LAN makes a TCP connection to a host on WAN2, the traffic gets NATted to the WAN2 firewall address and goes out that interface. So the connection works, but the external address doesn't see the traffic as coming from the 1:1 NAT address on WAN1 - it comes from the firewall address on WAN2. I stared at the generated rules in March/April, and I ended up guessing that this might be a problem in pf, rather than something that's pfsense-specific. I just replicated this in a new dead simple pfsense install in a vmware environment, so I don't think it's something specific to my original setup. Right now, in production, I've sort of dodged the issue by running VMware ESXi on my firewall boxes, and having two pairs of carp-ed firewalls, one for each WAN. But it's complicated, and the 4 firewall and ESX overhead is visible - slow traffic, and occasional huge (near 1 second) packet delays. I don't want to have to move to 4 physical firewalls for my little internal network. Can anyone suggest a fix or a workaround? Thanks very much! John | From jsellens Wed Mar 4 10:12:31 2009 | To: [email protected] | Subject: dual wan, outbound NAT not working on one | | Summary: 1 LAN, 2 WAN, outbound traffic is de-NAT'd on one WAN | interface, but not the other. pfSense-1.2.3-20090224-2349 | | I'm using pfSense-1.2.3-20090224-2349 because I ran into gmirror | setup problems on 1.2.2. | | I was using a single pfsense box with a bunch of proxy arp, with a | single physical external interface, and it was working fine. I | want to move to a redundant pair with carp, and I'm having NAT | problems. I added an additional external NIC, as carp addresses | have to match the physical interface they are on. | | I'm in a colocation facility, and we have two different netblocks | on the outside (WAN1 and WAN2), and a single network inside | (10.2.1.0/24). The colo provides an ethernet drop with both external | netblocks on it. I have a bunch of carp proxy addresses on the | outside with 1:1 NAT. | | I can ssh in to my internal server from a remote network just fine. | | If I am on an external host in the WAN1 subnet, and ssh to an inside | host through a carp external address in the WAN2 subnet, the packets | get inside correctly, but the return packets from the inside host | end up arriving back on the external host with the inside (rfc 1918) | address, and go out through the WAN1 interface. | | i.e. | - host ext1 on WAN1 | - sends to carp2 on WAN2 which is 1:1 NAT'd to int2 on LAN | - int2 (10.2.1.43) sends reply packet to ext1 | - packet goes out the WAN1 interface (as ext1 is on that netblock) | but does not get NAT'd, so host ext1 sees packets arriving | from 10.2.1.43, not an external address | | I have two 1:1 NAT rules from carp2/int2 for WAN1 and WAN2, and two | "advanced outbound NAT" rules from 10.2.1.0/24 to anywhere for WAN1 | and WAN2. | | The traffic seems to come in fine through the WAN1/carp2/int2 1:1 | NAT, but does not get NAT'd outbound, through either the 1:1 or | outbound NAT rules. Removing the WAN/carp2/int2 1:1 NAT rule doesn't | change the bahaviour. | | A slightly unusual situation I'll admit. Can anyone offer any help | or suggestions? | | Thanks very much! | | John Sellens | [email protected] | --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
