PFSense question

[Sikh]

So I've noticed this very rarely but at work I just now updated 2 NAT 1:1 entries and from the outside those entries didn't update. In the firewall logs I can see the old IP is still being the one the 1:1 is being handled on. I cleared states and reloaded filter, nothing.

 

Ive never figured it out but until now its always happened at home. Usually a reboot fixes it. But I want to know what the god damn problem is instead rebooting. Obviously rebooting in production isn't possible. Well its lunch time so its possible but someone will bitch. Since its Monday and I just don't have patience for it, im going to wait until tonight to reboot.

 

Anyone know why this happens or if theres an easy way to fix it besides clearing states / reloading filter?

 

Thanks,

Sikh

[+BudMan MVC]

Why would you not bring this up on the pfsense board?  That is the place for pfsense questions like this.

 

What version are you running?  why are you doing 1:1 in the first place?  Lets see your nats and what you say is not working.  Do you have a range of public IPs what is the cidr /??  How do you have then setup on pfsense?

[fusi0n]

Why would you not bring this up on the pfsense board?  That is the place for pfsense questions like this.

 

What version are you running?  why are you doing 1:1 in the first place?  Lets see your nats and what you say is not working.  Do you have a range of public IPs what is the cidr /??  How do you have then setup on pfsense?

Yes, please tell us

[Sikh]

@Budman: I figured someone would help here faster then the pfsense boards. Ive posted there before and got answers 3 days later. We have a /28 for our Wan connection. So I'm getting up public IP's for each individual server that needs external access for customers. So my 1:1 is setup like below

 

12.xxx.xxx.x18 > 192.168.xxx.102

 

I changed it to 192.168.xxx.105 and its still showing in the firewall logs that everything hitting .18 is going to .102 and not .105. What would I do instead of 1:1? I have virtual ip's setup for the ip's we have available on the WAN connection and then 1:1 them to the appropriate server. What should I be doing instead?

 

Im running pfsense version 2.1.2-RELEASE. 

[+BudMan MVC]

Well there is no reason to do a 1:1 to be honest - when all you need it forwards of specific ports. Sure you could create vips..  So is /28 routed to you - or just on the pfsense wan?  Are you setting up firewall rules with the 1:1 so that only specific ports are allowed that are required?

 

If its forwarding to the wrong IP, then clearly your forward/nat did not kick in for whatever reason - what does it show in pfctl -sa ?

 

rdr on vmx3f0 inet proto udp from any to 24.13.wanIP port = ntp -> 192.168.1.40
rdr on vmx3f0 inet proto tcp from any to 24.13.wanIP port 27179:27180 -> 192.168.2.97
rdr on vmx3f0 inet proto udp from any to 24.13.wanIP port 27179:27180 -> 192.168.2.97
rdr on vmx3f0 inet proto tcp from any to 24.13.wanIP port 27177:27178 -> 192.168.2.98
rdr on vmx3f0 inet proto udp from any to 24.13.wanIP port 27177:27178 -> 192.168.2.98

 

Did you look at /tmp/rules.debug

 

These are my forwards, not exactly sure what 1:1 would look like in the pfctl output? Compare the what your rules are suppose to be and what are actually in play with pfctl -- if I had to guess you missed something, or forgot to hit apply, etc. etc.  Can you post up your 1:1 nat tab, and your wan firewall tab, etc..

 

I am on the pfsense board every day, almost as much as I am on here - your wording your question wrong, or leaving out info if not getting responses - they are not as forgiving of bad posting on there as here ;)

[Sikh]

Budman,

 

Thanks for the reply. I didn't know about pfctl, pretty handy.

 

Here's what I got from the command

 

binat on em0 inet from 192.xxx.xxx.50 to any -> 12.xxx.xxx.19

binat on em0 inet from 192.xxx.xxx.52 to any -> 12.xxx.xxx.20
binat on em0 inet from 192.xxx.xxx.63 to any -> 12.xxx.xxx.21
binat on em0 inet from 192.xxx.xxx.53 to any -> 12.xxx.xxx.22
binat on em0 inet from 192.xxx.xxx.80 to any -> 12.xxx.xxx.23
binat on em0 inet from 192.xxx.xxx.55 to any -> 12.xxx.xxx.24

 

 

Its not even registering that I added a 1:1 for .25 or .26 that I just added and applied and reloaded. What could be reason for this?

[+BudMan MVC]

well there you go, explains why not working if not showing in pfctl..

Why it didn't take I don't know, maybe a bug.. Why are you on 2.1.2? 2.1.5 has been out for quite some time.

I would first update to 2.1.5, which is current until 2.2 releases -- I think pretty soon. Maybe xmas present ;)

I would post on their boards, showing your 1:1 nat tab, and in pfctl you don't see it, and what does rules.debug show? Did you try just redoing the 1:1?

So how do you have your 1:1 setup - can you post the setting that is working, are you using a /32 mask for each one? From my understanding the mask of the internal side will be applied to the external, etc.

I would have to lab this to try and duplicate since I don't have multiple publics to play with on my pfsense setup.

[Sikh]

well there you go, explains why not working if not showing in pfctl..

Why it didn't take I don't know, maybe a bug.. Why are you on 2.1.2? 2.1.5 has been out for quite some time.

I would first update to 2.1.5, which is current until 2.2 releases -- I think pretty soon. Maybe xmas present ;)

I would post on their boards, showing your 1:1 nat tab, and in pfctl you don't see it, and what does rules.debug show? Did you try just redoing the 1:1?

So how do you have your 1:1 setup - can you post the setting that is working, are you using a /32 mask for each one? From my understanding the mask of the internal side will be applied to the external, etc.

I would have to lab this to try and duplicate since I don't have multiple publics to play with on my pfsense setup.

 

So just updated and now none of the virtual IPs are showing up in pfctl -sa and all of the virtual IP's are going to the firewalls page externally.

 

The 1:1 setup and rules are the same. This setup worked for me before and was the recommended way I saw on the internet / pfsense forums. I have this same setup working at a different site perfectly fine. I have not updated that firewall yet and definitely dont plan on it.

 

Can you please help. What im looking to do is have each virtual IP only have specific ports open. Each virtual IP goes to a different server, so I only want certain ports on those servers available to the public.

 

I tried initially doing a nat > port forward and that didnt work but the virtual ips worked great.

[Sikh]

Update:

Just deleted all of the rules and still have external access to the firewall. Tried to clear the states and apparently theres no states at all....

 

Looks like i have the pleasure of going to factory defaults and if that doesnt work definitely going to have to reimage

[Sikh]

I was able to run to work last night, reset to factory defaults and fix all my problems. After that I had to hand configure everything but I was able to do some "spring cleaning" so that was nice.

Backup wouldn't work cause it was corrupted. Anyway, never seen this before but it's resolved.

Thanks for you help guys. Budman I'm still interested in how you would setup this setup. The objective is to get access externally to many different internal servers hosting different things. For me virtual ips work great.

[+BudMan MVC]

I agree VIPs work fine - but why would you do 1:1 nat? Do you firewall rule to only allow the ports you need?

Better setup would be if the IPs you were working with were just routed to your pfsense, then you could put that segment behind pfsense without any nat and just firewall for what you want to allow.