Hi there,
I am sorry for posting a question regarding pfSense, but it being based onFreebsd FreeBSD and not having received any reply back from the pfSense forum, I thought I might be a good idea to post the same question here.
I have been struggling trying to understand why ICMP traffic is not working anymore since I removed the outbound NAT on my pfSense box. (Firewall-NAT-Outbound tab-Manual Outbound NAT rule generation)
My setup is fairly simple :
http://img804.imageshack.us/img804/6351/52871307.jpg
On a default setup (NAT enabled for outbound on PFsense), HOST1 could access via ICMP, TCP, UDP HOST2, no problem. Then I realized that I didn't need two NAT'S (on pfSense and on gateway which is my provider's modem/router), so I removed the outbound NAT on PF, keeping the firewall function though (which is where pfSense does the magic).
Now, I have added a default route on HOST2 and gateway so they are aware of the LAN network (for returning packets), so far so good. I can access HOST2 via TCP and UDP, but not via ICMP.
By doing some analysis using tcpdump I found that:
Configurationwise:
1) The LAN can access everything, and traffic established from WAN to LAN is permitted only for a few ports, but being this traffic originated from the LAN the packet should be granted the access to the LAN.
Funny thing is that pinging the gateway it's ok instead. (it's worth saying that gateway is the default gateway for pfSense)
Do you guys have an idea?
Thanks in advance.
I am sorry for posting a question regarding pfSense, but it being based on
I have been struggling trying to understand why ICMP traffic is not working anymore since I removed the outbound NAT on my pfSense box. (Firewall-NAT-Outbound tab-Manual Outbound NAT rule generation)
My setup is fairly simple :
http://img804.imageshack.us/img804/6351/52871307.jpg
On a default setup (NAT enabled for outbound on PFsense), HOST1 could access via ICMP, TCP, UDP HOST2, no problem. Then I realized that I didn't need two NAT'S (on pfSense and on gateway which is my provider's modem/router), so I removed the outbound NAT on PF, keeping the firewall function though (which is where pfSense does the magic).
Now, I have added a default route on HOST2 and gateway so they are aware of the LAN network (for returning packets), so far so good. I can access HOST2 via TCP and UDP, but not via ICMP.
By doing some analysis using tcpdump I found that:
- on pfSense WAN and LAN I can see echo requests going FROM HOST1 to HOST2 (but not coming back)
- on HOST2 I can see echo requests and echo replies going to HOST1
Configurationwise:
1) The LAN can access everything, and traffic established from WAN to LAN is permitted only for a few ports, but being this traffic originated from the LAN the packet should be granted the access to the LAN.
Funny thing is that pinging the gateway it's ok instead. (it's worth saying that gateway is the default gateway for pfSense)
Do you guys have an idea?
Thanks in advance.
