Port Forwarding ESXi VM no joy !
-
Well I would still do the same test: try to connect externally then check the states created in pfSense. Those have to look good before digging any deeper.
If it is some source address restriction in the server (or something in front of it) then adding an outbound NAT rule on LAN in pfSense will work around that and prove it.
Steve
-
is this the rule method...?
-
No, a firewall matching that would be destination 192.168.15.162, since it applies to traffic after NAT has been applied. And it would have a source set as that could be any external IP.
But if you just edit the port forward and set 'Filter rule association' to 'Add associated filter rule', which is the default setting, then it will add the correct firewall rule for you.
Steve
-
Ok did that... as well played with ESXi's passthrough feature. Thought I'd set two of the 4 NIC's up as real hardware. Unfortunately they are still NOT considered as external. Been looking to see if there's a path to make them actually external.
This is SO frustrating. I'm Network litterate enough to know enough to get by, but things like this require a LOT of reading to configure and benefit from.
SR-IOV doesn't work with this hardware... perhaps if I looked for a more recent driver. What's strange to me is that the server NIC's are the path to the LAN for everything else. But blocked for BSD... Strange !
-
Are you at least seeing the correct state created on WAN and LAN in pfSense when you try to connect?
-
I'm not sure I'd know the correct state if it fell on me !
Wish the ESXi NIC thing would have worked. I can by the way ping out from BSD, and see the response... so that says something. I guess I could try firing up WireShark. -
@stephenw10
New info may shed some light on a solution...
https://www.intel.com/content/www/us/en/support/articles/000005722/ethernet-products.html
Frequently Asked Questions for SR-IOV on Intel
Ethernet Server...
Intel Network Adapter FreeBSD* Virtual Function Driver for Intel Ethernet Controller 700 and E810 Series; ... Windows Server 2012* R2, Windows Server 2016*, and Windows Server 2019* include support for SR-IOV-capable network devices. An SR-IOV virtual function of a physical network adapter can assign directly to a virtual machine. Earlier ...I'm going to follow up on this path for a bit...
-
If you have a port forward like this:
And you try to connect to it from the WAN side you should see states like this:
There are no replies shown there because there is no server at 192.168.22.87 listening on port 5555. But the traffic is still NAT'd and routed as expected with states on both WAN and LAN.
Steve
-
@stephenw10
This is what I got...
-
You are testing from inside the network, the source IP is 192.168.15.39.
You have to test from outside the network to hit a port forward on WAN. If you need that to work from the LAN side you have to enable NAT reflection. And it looks like you must have done that since it is redirecting but you have not set 'Enable automatic outbound NAT for Reflection' in Sys > Adv > Firewall&NAT. And that means the server is replying directly to the client creating an asymmetric route.
Enable that or test from an external IP address.
Steve
-
@stephenw10
my server isn't on 240...? 240 is the ring doorbell... -
Ok, then the wrong port forward rule is catching it. Possibly a 1:1 rule but port forwards override those if they match.
Let's see you port forwards.
Steve
-
@stephenw10
Changed the order put doorbell last...
-
Thank you for your perseverance... It restores my faith in use of support forums.
BSD is way quicker than using Linux Mint Apache... now to see if I have VHosts set up properly I'll have to move it over to port 80 and call up a website...
-
Woo Hoo... it works !
-
-
Many thanks Steve for all of your assistance. Wouldn't have ever found the rule order issue if it wasn't for you...
-
No worries, glad you got it working.
-
I have dropped out of many groups because members reply with a redirection in effort instead of working a problem. One fellow asked why I wasn't using a VPN to access my web content. I explained that the purpose of the website was for public use, not private. Or one fellow suggested I change from ESXi to ProxMox... Naw... too complicated for my purposes, and it means starting over from ground up.
I have enjoyed pfSense and need to be sure I've got it set up to give me maximum protection. One fella said Port Forwarding was risky as it opens you up to hackers. Well yeah, I knew the apps would be at risk. That's why I use ESXi, and backup my VM's. Get hacked... dump and replace...
My next job is to configure the email blocking that is provided under "feeds".
Thank you Steve
