Welcome, Guest. Please login or register.

Author Topic: NAT/Port forwarding totally broken?  (Read 2324 times)

Ben Garrison

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
NAT/Port forwarding totally broken?
« on: February 19, 2016, 04:13:16 PM »
Tried to forward some ports to make a server visible from the outside and it isn't working no matter what.

NAT settings are good, firewall rules ok.

Tried the latest stable version. Could this be fixed in the beta/snapshot?

I will wipe the config since I upgraded from the last m0n0wall release and post results, but it could be a bug in the t1n1wall release.

gderf

  • Administrator
  • Newbie
  • *****
  • Posts: 32
  • Karma: +0/-0
    • View Profile
Re: NAT/Port forwarding totally broken?
« Reply #1 on: February 21, 2016, 08:53:31 PM »
You'd have to be a lot more specific about your use case.


I have quite a few port forwards with corresponding rules and they all work.


If this was a generic bug in t1n1wall, it would have been heavily reported by now.


There are other possible explanations, none of which would involve the firewall, but guesswork is not something that is encouraged here.


andywhite

  • Administrator
  • Full Member
  • *****
  • Posts: 116
  • Karma: +0/-0
    • View Profile
Re: NAT/Port forwarding totally broken?
« Reply #2 on: February 24, 2016, 09:30:09 AM »
I don't see any reports of this,  and I too have plenty working.  Please add more data

Gilgamoth

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Re: NAT/Port forwarding totally broken?
« Reply #3 on: February 29, 2016, 08:44:26 AM »
I've just logged a bug, which I think may be related to this. Over the weekend I did an inplace upgrade from 1.8.2b78 to 1.10.2b95 (x86).
The upgrade went fine, however my overnight rsync backup from my web hosting site started generating errors:
rsync: failed to connect to site.domain.co.uk (1.2.3.4): Connection timed out (110) rsync error: error in socket IO (code 10) at clientserver.c(122) [sender=3.0.9]

I'd been having some problems with my ISP, so after some line tests and a couple of reboots and it still generated errors. I downgraded back to 1.8.2b78 this moring and now rsync succeeds with no errors.

It's a VMware virtual installation
1 vCPU
256Mb RAM
3 Flexible vNIC's
Let me know if you need any further diagnostics performing

Also, I have a monitoring script that polls the NAT'd ports from the internet to see if the servers are awake behind the T1n1wall, and that randomly reported servers down when running 1.10, but is back to working fine under 1.8

andywhite

  • Administrator
  • Full Member
  • *****
  • Posts: 116
  • Karma: +0/-0
    • View Profile
Re: NAT/Port forwarding totally broken?
« Reply #4 on: February 29, 2016, 10:33:06 AM »
Hi, your problem reads differently, in that it works sometimes and not others.  Original reporter can't get it to work at all ....

just an FYI,  1.10.x release is based on freebsd 10.  freebsd , while having a lot of changes, also is on ipfilter 5.  Why am I calling this out ?  There was/is a bug in ipv6 stateful inspection , this took >2 months to figure out the issue, working with the ipfilter maintainer.  It turned out to be a freebsd 10 change with packet checksums, and not an ipfilter 5 problem.  It was very frustrating :(  pf didn't have the problem, as pf doesn't check checksums like ipfilter , which made us look at ipfilter for too long ...

There are mixed reports of ipnat issues in freebsd 10 / ipfilter combinations , but none with any real data to help track down the issue.  They are mostly about ipnat having problems after several days, and a reboot fixing it, I experienced this intermittantly, but haven't since patching for the ipv6 issue several months ago. 

I use t1n1wall 1.10.x at home on ALIX, behind a cable modem, and don't see these issues.  I have plenty of ports forwarded, and I have nightly backups to the internet that don't fail.

What does all this mean ?  I'm going to need you help to track this down and troubleshoot, and your patience

Gilgamoth

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Re: NAT/Port forwarding totally broken?
« Reply #5 on: February 29, 2016, 10:47:54 AM »
Hi Andy,
Sorry, I mis-read the OP, yes mine is intermittent.

What you described above corresponds with some of the issues I've been seeing over the weekend where there was intermittent packet loss and the webgui was unresponsive until the FW was rebooted.

I've updated the SF Bug Report, with some additional details, but one thought I've just had, I wonder if this is RAM size related? I'd been looking at some of the ALIX and MiniITX implementations of T1n1wall and Smallwall, and they have a couple of GB of RAM, where as my VM has 256Mb. I wonder if this causes the issue in present sooner? 1.8 shows about 2% CPU usage and 15% RAM usage, even during an rsync backup

Anyway, whatever I can do to help I will, including providing a copy of the config or even a copy of the VM.

Ben Garrison

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: NAT/Port forwarding totally broken?
« Reply #6 on: March 01, 2016, 02:28:52 PM »
I w2ill be doing a 1.10 snapshot fresh install tonight.

I will let you know the results!