pfSense Support Subscription

Author Topic: [SOLVED] NAT broke after 2.4.0 upgrade  (Read 377 times)

0 Members and 1 Guest are viewing this topic.

Offline mlanner

  • Jr. Member
  • **
  • Posts: 54
  • Karma: +0/-0
    • View Profile
[SOLVED] NAT broke after 2.4.0 upgrade
« on: October 19, 2017, 04:33:04 pm »
Or at least that's my working theory right now.

Under 2.3 I had a few NAT port forwarding rules for SSH setup from WAN to DMZ addresses on one of my firewalls. It's been working for years through many, many upgrades. Suddenly, after upgrade to 2.4.0, it's not working anymore.

How did I conclude NAT broke? This is what I've tested so far:

* Firewall rules applied directly to the WAN interface, like OpenVPN, works fine.
* If I'm behind the firewall, or VPN'd in, I can SSH to the same machines without a problem.
* My WAN IP subnet is defined as individual Proxy ARP VIPs.
   * Each VIP is defined as a /32.
* My NAT rules used aliases for both the internal IPs and ports.
   * I've tested not using aliases in my NAT statements. It doesn't make a difference.
   * I've  tested deleting the old NAT statements and recreated them. No go.

I'm sure I must have missed something in release notes or whatever, but I feel I've tried everything I can think of now and still can't get back to a working state.

I also found this https://forum.pfsense.org/index.php?topic=133169.msg731990#msg731990 post, which seems to indicate that aliases could be a problem. Since I've tried removing aliases and even recreating the NAT statements, I don't think that's it.
« Last Edit: October 30, 2017, 10:59:47 am by mlanner »

Offline arrmo

  • Sr. Member
  • ****
  • Posts: 349
  • Karma: +7/-0
    • View Profile
Re: NAT broke after 2.4.0 upgrade
« Reply #1 on: October 19, 2017, 05:05:47 pm »
Yep, with the IP address hard coded - all works fine. I'm afraid to change it back now to test ... ;).

Offline mlanner

  • Jr. Member
  • **
  • Posts: 54
  • Karma: +0/-0
    • View Profile
Re: NAT broke after 2.4.0 upgrade
« Reply #2 on: October 25, 2017, 01:13:53 pm »
@arrmo

I still can't get it to work with hard coded addresses instead of aliases. However, I think I've narrowed it down to using Virtual IPs. If I move a rule from using a "Virtual IP" with "Proxy ARP" to instead use my "WAN address", as defined by pfSense, it does work properly and does the NAT as expected. Obviously, that's an issue. I see other people also having similar problems.

Offline mlanner

  • Jr. Member
  • **
  • Posts: 54
  • Karma: +0/-0
    • View Profile
Re: NAT broke after 2.4.0 upgrade
« Reply #3 on: October 30, 2017, 10:58:57 am »
SOLVED!

The problem with my setup was that I was using Proxy ARP for my VIPs. Obviously, as noted earlier, Proxy ARP has worked flawlessly up until the 2.4 release. Once I changed Proxy ARP to IP Alias, things started working again. For my Proxy ARP setup, I used to create the VIPs as /32. With my new IP Alias setup, I have adjusted the VIP to match the WAN subnet provided by my ISP.