Unable to get NAT + Proxy port forward working

jkiel

I have a host on the LAN that also has a separate connection to the WAN, using the gateway on the WAN (not pfsense) as its default.

There's a port on this host that is only accessible on the LAN interface for it, but I would like to expose via a port forward on pfsense (LAN on pfsense is on the same LAN as the host) with the intention of only allowing access from a handful of source addresses. I can ping the host's LAN ip from pfsense.

Am I wrong in thinking the NAT + Proxy option in the port forward configuration should allow me to forward, say, port 8091 on pfsense's WAN to port 23 on the host that doesn't use pfsense as its gateway? Everything I try doesn't seem to get it working.

It's an HA pfsense, so I've selected the WAN interface, IP4, TCP, the WAN CARP IP for destination with 8091 for the destination port. Redirect target is set to the host's IP address, and the port (80.) NAT reflection set to NAT + Proxy. Attempts to connect to 8091 on the WAN ip from outside the network time out and fail. (I have other port forwards to other hosts that do use pfsense as the gateway, without nat reflection, that work fine.)

Is there something simple I'm missing here? Is working around this kind of case not the intention of NAT + Proxy?

viragomann

@jkiel
NAT reflection just reflects the NAT rule to other interfaces. This will not make you happy.

What you intend will only work with masquerading the origin source address, so that the host sees the forwarded packets coming from pfSense LAN IP.
Don't know, if this makes you happy. But this is the only option if you don't want to reorganize parts of your network.

You can do this with an outbound NAT rule. You might already have enabled manual outbound NAT, since it's an HA.
So add a rule:
interface: LAN
protocol: <can be limited>
source: any
destination: <host IP>
dest. port: e.g. 23, whatever you forward to
translation: LAN CARP VIP (or any VIP hooking up on it)

jkiel

@viragomann Thanks, however the documentation says:

from https://docs.netgate.com/pfsense/en/latest/nat/reflection.html

NAT + Proxy:
Enables NAT Reflection using a helper program to send packets to the target of the port forward. This is useful in setups where the interface and/or gateway IP address used for communication with the target cannot be accurately determined at the time the rules are loaded. Reflection rules for use with the proxy are not created for ranges larger than 500 ports and will not be used for more than 1000 ports total between all port forwards. This mode does not work with UDP, only with TCP. Because this is a proxy, the source address of the traffic, as seen by the server, is the firewall IP address closest to the server.

Specifically "Because this is a proxy, the source address of the traffic, as seen by the server, is the firewall IP address closest to the server" makes it sound like it should do what I'm looking for.

viragomann

@jkiel
Yes, but this is only true for NAT reflection. And as I stated in my first sentence above, NAT reflection just reflects the NAT rule to other interfaces. So the proxy is only applied to traffic coming from OTHER interface, not from WAN, where the real NAT rule is defined on.

Traffic forwarded from WAN still keeps its origin source address.
Simply sniff the traffic on the LAN to verify this.