Outbound traffic from WAN couldn't access to web/mail server in NAT of LAN

GruensFroeschli

Could you provide a screenshot of your NAT and Firewall rules?

(done the portforward on LAN interface)

This is wrong. (ok maybe not wrong but unnecessary)
You create portforwards on the WAN and if you need the forward from the inside to enable "NAT reflection"

jamesseen

??? I wonder masters could understand what problem that I mentioned above…. sorry for my so poor english. hardly to express what i wanted to say. I would like to post my network layout. please refer....

jamesseen

What i had achieved from the above network layout (forum.jpg) were the PC (xp machine) within LAN was able to access web hosting (using port forwarding NAT to achieve this although there was an another xyz firewall connected to same network 192.200.9.0 LAN ) and web mail and could access Internet.

jamesseen

Now, the problem I'm facing now assume there is an user PC (XP machine) would like to access to my WebHosting by typing URL from Internet Explorer browser "http://www.bumiasia.com" and that user PC was unable to access it. I had made the port forward on WAN interface as external to NAT IP of my DNS server. Please view my screenshot of it. many thanks!!!


GruensFroeschli

Enable NAT reflection.
(advanced)

jamesseen

Sir, Enabled NAT reflection also couldn't solve it. The remote user still unable to access the server behind pfSense…. ??? ??? Why is it?? Still there any setting i missed out???  :o

cruzades

have you checked your HTTP port yet?

try to check it using "grc port scanner".

jamesseen

:'( :'( :'( ??? ??? ???

The PC from WAN still couldn't access to that web server that sitting behind pfSense…. Someone please guide me..... I had logged the packets that PC from WAN might had be passed through pfSense, but somehow  don't know why that remote PC from WAN couldn't access to the webserver. my server port is 8888. Please help me refer the picture below. Thank you very much!!!

jamesseen

According to nmap scanned on pfsense itself, I noticed the pfSense firewall had not open 8888 port yet, am i correct? Please look at the nmap scan report below.

Interesting ports on pfsense.local (192.200.9.7):
Not shown: 1694 filtered ports
PORT  STATE SERVICE
22/tcp open  ssh
53/tcp open  domain
80/tcp open  http

Nmap finished: 1 IP address (1 host up) scanned in 30.299 seconds

cruzades

likewise here, i have problem opening my ports 6112-6119, but somewhere in this forum someone suggested to use "Outbound" option at NAT, and click "Manual.. (advance..) and click SAVE, pfsense will generate a list of entry, click Apply.

in my case, viola, it opens my ports after this.

HTH
-cruzades

jamesseen

I'd done what you instructed, enable manual…(advance).... yet, still remote pc couldn't access and the port 888 is not opened.

no luck at all ??? >:(

jamesseen

zzzz…... no one could answer me.... :'(

I think the problem might be XYZ firewall attached to the LAN. The XYZ firewall had blocked the traffic that tried to access web server:888.

What do you guys (masters ) say??

GruensFroeschli

Your clients/server behind pfSense dont happen to have as default gateway this other firewall, do they?
(What is it doing there anyway?)

jamesseen

Actually, XYZ firewall is currently in use and I wanted to replace it with pfSense in future due to XZY has limited features provided and one day XYZ firewall will be removed…..

I'm sorry, I can't get you. Are you asking the Client/Server do not have default gateway of pfSense instead of XYZ firewall as their default gateway. Is that what u were saying? Hhmmm...I'll check it. :o Thank you!!

maaraujo

In your diagram I see you have a private IP on your WAN interface and a public IP on your LAN. Did you configure your network in this way for a particular reason?.

If so, how is Interfaces/WAN/Block Private Networks set?.

Saludos.

Miguel Ángel Araujo
México

jamesseen

Dear maaraojo, by default, Interfaces/WAN/Block Private Network was checked…. Does it block traffic from WAN to LAN? I hope it is not.

Hmm, I checked those servers. It is indeed those servers default gateway were not set to pfSense Box. Should I need to set their default gateway to pfSense box? I heard one of my friend said that it is not necessary must set those servers default gateway to pfSense box. He said install a proxy server on pfSense box would solve those default gateway. What he said was correct???? Need advice..... ??? ???

maaraujo

jamesseen,

I couldn't resolve www.bumiasia.com. How are you testing?.

Saludos.

jamesseen

Thank you, maaraujo….

Unfortunately, at moment I still don't have "authority" to modify any setting on the Server. I have to wait me superior officer to do those setting on server.(add default gateway to pfSense box instead of XYZ firewall)

I'll let u guys to know the latest update soon....

jamesseen

Dear GuRUs…. one question, if I set default gateway to pfSense firewall, all of the traffic response would be going to pfSense box which is not suitable. I would like to ask is it possible to implement WAN traffic packet from pfSense box toward web/mail server will reply back to pfSense and WAN trafic packet from XYZ firewall toward web/mail server reply back to XYZ firewall???? Please refer again for the below network diagram.
For Your Information, XYZ has reverse proxy....

Thank you so much!!!! ::)

hoba

Not really possible. Sorry.