1-1 NAT randomly stops working (Cloudflare BOVPN)

I was tasked with setting up 2 virtual interfaces that connect to Cloudflare's VPN for a financial institution. I got the configuration from Cloudflare, and got the tunnels up and running. I created 1:1 NAT rules that function in the tunnel and all of that works great. I can ping the web server across the tunnel and RDP to it no problem. The second interface is only for redundancy, and in that Virtual Interface configuration the route has a metric of 2.

The strange thing is, some hosts can't load the HTTPS web portal for that same server. You can ping, RDP, even connect over HTTP, but HTTPS will not function for half the internal hosts. After banging my head against the wall, I learned that if I change or update the 1:1 NAT rule, every host will be able to access the site..... for a while. After a few hours, the problem hosts become problems again, and will not resolve the site on a browser (though again ping and RDP still work fine).

Does anyone have any idea why I would see this behavior? I never see denied packets in the firewall. Thank you for any insight, I'm going crazy.


Sign In to comment.