NAT driving me NUTS!
-
Cheers for the reply. I did come across another thread suggesting unticking that option and gave it a try for myself. Unfortunately it didn't make any difference.
But, I'm going to have pf a fresh install and try again from scratch. I've played with so many options that the install is probably tainted now.
-
Sorry for double post but still no luck I'm afraid. Exactly the same issue as before :(
Firewall allows the traffic through, then NAT just doesnt direct it where its told :(
EDIT:
I'm not sure if this means anything, but while hunting through the diagnostic tools I saw this in the 'States' section while trying to connect to the webserver:
tcp 192.168.1.80:80 <- 212.69.10.xxx:80 <- 212.69.52.xxx:52457
(the 212.69.52.xxx address is the external ip address of my laptop)
-
Sounds like your firewall rule is the issue.
If you "opened up" port 80 and got the WebGUI, you likely had a destination address of the WAN interface IP, and not the internal IP of the web server.
The firewall rule should allow traffic from * to <web server="" lan="" ip="">port 80. (and 443).
Give that a try and see if it helps.</web>
-
At the time I had no NAT set up at all. So i'm guessing in the absence of any NAT rules the Firewall simply opens up the ports and any incoming requests are just served by pfsense (hence me getting the Webgui). I'll post screenshots of my config in a mo
EDIT:
-
OK I'm really clutching at straws now…
To check that it wasn't anything weird to do with both my external and internal IPs having the same subnet, I changed my internal network to 10.x.x.x and set up a server with SSH installed. I did port forwarding and firewall rules for port 22 and STILL no joy. I wasn't able to connect.
This log in States disgnostic looks interesting tho:
tcp 10.0.0.1:22 <- 212.69.10.xxx:22 <- 212.69.52.xxx:53301 CLOSED:SYN_SENT
tcp 212.69.52.xxx:53301 -> 10.0.0.1:22 SYN_SENT:CLOSED -
Try these steps. Let me know if you still cannot get it working.
http://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
-
The only condition that I can see I don't meet is the Gateway for my internal machines being set to the pfsense server. I can't really change these as I will loose connectivity to more important things.
Is there any way I can get round this? I was able to port forward using a Windows Server without any configuration changes to any of my machines.
-
Hmmm. Maybe static routes?
I tried to do just that a long time ago and never got it working. I had to configure my server with pfsense as the default gateway. I hope you can figure it out. I am sure someone on this forum must know. -
So do i understand you correct, that you have 2 routers in your network and pfSense is not the default gateway?
In this case the observed behaviour is how it should be.You could get around this by enabling sourceNAT on the pfSense.
For the server this essentially means, all traffic comming from the internet would seem as its comming from the pfSense.
Thus to traffic comming in from the portforward would be replied to the pfSense and not to the default gateway.To enable source NAT:
Enable advanced outbound NAT and copy the autocreated rule for the WAN.
Set in the copy as
Interface: LAN
Source: any -
So do i understand you correct, that you have 2 routers in your network and pfSense is not the default gateway?
In this case the observed behaviour is how it should be.Yep indeed I do. To be honest I could get rid of the other router config once I have PFSense configured correctly. But changing it beforehand would render me unable to access the machine to make the change (hope that makes sense!)
You could get around this by enabling sourceNAT on the pfSense.
For the server this essentially means, all traffic comming from the internet would seem as its comming from the pfSense.
Thus to traffic comming in from the portforward would be replied to the pfSense and not to the default gateway.To enable source NAT:
Enable advanced outbound NAT and copy the autocreated rule for the WAN.
Set in the copy as
Interface: LAN
Source: anyGreat stuff. I'll give that a shot.
-
Actually, sorry for being dumb - you lost me on the last bit.
I've set it to Advanced Outbound NAT and it created an "Autocreated rule for LAN". What else should I add now?
-
Can you show a screenshot of your advanced outbound rules?