Results 1 to 5 of 5
  1. #1
    Master Untangler
    Join Date
    May 2008
    Posts
    104

    Default Untangle Static Route (NAT?) Issue

    Hi All.

    Had a problem spring up overnight, and can't for the life of me figure out as to why this is occuring. Nothing has changed as far as our networking is concerned, so this one has me baffled.

    Two Subnets: 10.8.11.0 HQ
    10.8.10.0 Remote

    Untangle is at 10.8.11.1. A static route is defined on untangle that forwards packets destined for 10.8.10.0 to route through 10.8.11.254 (pfsense).

    The issue that's occuring is that computers in the HQ LAN that have NAT policies (outbound) cannot ping anything on the remote subnet.

    For Instance:

    10.8.11.4 (mail server) cannot ping 10.8.10.1. The mail server has a NAT policy defined for outgoing traffic to a public IP address.

    The problem is, Untangle is sending the PUBLIC IP ADDRESS (NAT) to the 10.8.11.254 router, rather than its LAN IP address.

    so, instead of the remote end seeing "mailserv.outinternaldomain.com (10.8.11.4)" the remote is seeing "mail.ourrealdomain.com (66.x.x.x.x)".

    Why would this suddenly change? And how do I fix it?

    The only thing I could think of is that last night I did some server maintenence which required a reboot. If I had the route defined on that server (didn't make it persistent), then I could see where this would be an issue. However, I don't remember applying the static route directly to this server.

    I thought about changing the subnet mask in untangle to 255.255.254.0, so that both the 10.8.10.0 and 10.8.11.0 would be considered "local" to Untangle; but not sure if that would break my routing. Shouldn't untangle only NAT outgoing traffic if it's destined for the external interface?
    Last edited by bryandj23; 01-22-2010 at 08:53 AM.

  2. #2
    Master Untangler
    Join Date
    May 2008
    Posts
    104

    Default

    Ok. How about this?

    Can someone either confirm whether or not outgoing NAT applies to packets going out ANY interface, or SHOULD it only NAT going out the EXTERNAL interface?

    I would think it should only NAT on the external interface.

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,543

    Default

    NAT policies are defined on the interface facing the internal network, not the external interface involved, it will nat packets based on the source IP address against the destination address provided in the policy.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Master Untangler
    Join Date
    May 2008
    Posts
    104

    Default

    Skynight...

    That's what I thought; so would you agree that what I'm seeing is correct by design?

    i.e.:

    a packet destined for a remote network (on a different router) gets sent BOTH the internal ip address AND the NAT rule?

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,543

    Default

    Yes... and no...

    There is an option in config -> networking -> advanced -> general that says "NAT only WAN traffic"

    If that option isn't enabled, all packets landing on Untangle will be subject to NAT translation regardless of NAT policy. If a policy doesn't match the packet, untangle will simply drop it. If a policy does match it, it's NAT'd.

    This will cause issues if you're trying to create internal IP spaces that you need Untangle to route, but not NAT.

    The NAT policy is never "sent" anywhere, it just configures an internal IP range that will be translated to a WAN address.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2