@elkim
bgroup0 is set to nat mode. Also tried with policy, does not change anything.
@echidov
Interesting idea. But no change 😞
I tried now almost every ALG, no change.
This is what the policy log looks like:
(the last hit was any other irc server).
The mystery is: from the firewall itself I can telnet the irc server 194.124.229.59 at port 6667. So something must be wrong with the nat applying.
2011-10-03 09:52:44 10.11.204.200:11389 66.225.225.66:6667 12.213.32.68:1194 66.225.225.66:6667 IRC 20 sec. 770 749 Close - TCP FIN
2011-10-03 09:51:58 10.11.204.200:11360 194.124.229.59:6667 12.123.32.68:2772 194.124.229.59:6667 IRC 22 sec. 198 0 Close - AGE OUT
2011-10-03 09:50:56 10.11.204.200:11330 194.124.229.59:6667 12.213.32.68:1813 194.124.229.59:6667 IRC 21 sec. 198 0 Close - AGE OUT
2011-10-03 09:49:58 10.11.204.200:11295 194.124.229.59:6667 12.213.32.68:2430 194.124.229.59:6667 IRC 21 sec. 198 0 Close - AGE OUT
2011-10-03 09:47:25 10.11.204.200:11242 194.124.229.59:6667 12.213.32.68:2300 194.124.229.59:6667 IRC 18 sec. 198 0 Close - AGE OUT
2011-10-03 09:46:45 10.11.204.200:11223 194.124.229.59:6667 12.213.32.68:1074 194.124.229.59:6667 IRC 22 sec. 198 0 Close - AGE OUT
2011-10-03 09:44:25 10.11.204.200:11162 194.124.229.59:6667 12.213.32.68:2955 194.124.229.59:6667 IRC 20 sec. 198 0 Close - AGE OUT
2011-10-03 09:43:23 10.11.204.200:11129 194.124.229.59:6667 12.213.32.68:2670 194.124.229.59:6667 IRC 22 sec. 198 0 Close - AGE OUT
2011-10-03 09:40:15 10.11.204.200:12081 194.124.229.59:6667 12.213.32.68:1272 194.124.229.59:6667 IRC 21 sec. 198 0 Close - AGE OUT
2011-10-03 09:39:29 10.11.204.200:12052 194.124.229.59:6667 12.213.32.68:2756 194.124.229.59:6667 IRC 22 sec. 198 0 Close - AGE OUT
2011-10-03 09:37:49 10.11.204.200:11972 194.124.229.59:6667 12.213.32.68:2719 194.124.229.59:6667 IRC 23 sec. 198 0 Close - AGE OUT
I believe that the source ports (below 10.000) are the problem. When e.g. testing behind other bsd based walls, I have NAT Sessions above 50.000:
172.20.1.105:55974 -> 12.123.2.254:48160 -> 194.124.229.59:6667
This is just an random example, this problem did never occur with any other nat device.
If this was the issue, is there any way to "force" the NAT to use higher ports?
An extreme way could be to reserve all ports up to 10.000 with I VIP.
|edit| I tried this now, wanted to add a custom service with destination Ports 1024-12.000. This did not work, error: "insufficient virtual ports in pool [...] 57 available. so this is not an option.