Intermittent NAT failures

We're seeing a number of pfSense installs over various versions (2.2.x and 2.3.x) intermittently failing to NAT packets. This happens almost exclusively with UDP streams, but occasionally with ICMP or TCP. Outbound NAT rules are automatic, there's nothing in the log files, and these internal users have other TCP and UDP conversations being NATed properly at the same time.

We're scheduling maintenance windows to try an upgrade to 2.4 to see if the problem is still present there.

Anyone seen anything similar?

I haven't seen anything similar, but I'll keep a tcpdump running on my PPPoE interface towards the world and see if it picks up any un-natted packets (2.4.2p1)

Kept a tcpdump going for ~8 hours yesterday, never saw any non-natted packets egressing my pppoe interface.

Realise this doesn't really help you, just another data point.

What are we looking at there?

What interface is em1?

What do the states look like?

What rule is creating them?

What are your Outbound NAT rules?

You mentioned TCP is not affected but that pcap shows presumably outbound SYNs from addresses. Hard to say whether those were translated or not since details were not provided.

Outbound NAT rules are automatic, so everything should be going through NAT. Firewall rules are a simple allow all. em1 in the trace is my WAN port and the network is on the LAN side. We're only seeing this on installs with a lot of traffic (e.g. consistently hitting 300-500 Mbps.)


