Netgate SG-1000 microFirewall

Author Topic: Incoming traffic to 1:1 NAT targets get's confused once in a great while  (Read 187 times)

0 Members and 1 Guest are viewing this topic.

Offline rnmixon

  • Jr. Member
  • **
  • Posts: 39
  • Karma: +1/-0
    • View Profile
Our pfSense firewall is at version 2.3.4.  We have a Cox broadband connection with the standard static IP plus a CIDR block of 16 "/28" addresses.

For each address we are using in the CIDR block (9 of the 16) we have both a virtual IP and a 1:1 NAT entry.

We then define regular NAT port forwarding, just for the ports we have external services listening on.

For almost three years this has been working fine. But in the last six months we are seeing a request to one of the virtual IPs return a response from a server that is assigned to a different virtual IP.

The problem only happens every two or three weeks, usually just a handful of times. We've been able to capture the request/responses in using the browser's web control panel and then look in the server logs  to see the response being returned.

We've re-reviewed our rules and they seem right. We've also got logging turned on for the corresponding firewall rules, but that does not really help much.

Does anyone have any idea on how we might isolate the problem or what the problem might be?

Thank you much - Richard

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21572
  • Karma: +1471/-26
    • View Profile
Re: Incoming traffic to 1:1 NAT targets get's confused once in a great while
« Reply #1 on: November 09, 2017, 03:23:08 pm »
So you have 1:1 NAT and then port forwards defined on top with the same destinations? That isn't necessary. You only need 1:1 NAT + Firewall rules.

Port forwards take precedence over 1:1 NAT on the inbound traffic, so your 1:1 NAT may be fine, but if something happened to the port forward then it may misbehave.

Are you using aliases anywhere in the port forwards? Anything special in the destinations?
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!