NAT reflection and port forwards broken in RC1

jlepthien

Again? Come on guys…
Everytime someone said that NAT reflection was not working with the beta it actually did...
Right now I tested port forwarding to an internal web server which works. Also NAT reflection from WLAN->LAN with my external web servers hostname works flawlessly...

I don't now what you guys are doing wrong all the time...

I am using 2.0-RC1 (i386) built on Mon Feb 28 14:28:32 EST 2011 btw...

Supermule

I dont see anything in the logs….I am actually asking kindly about help to find info that is related to the matter.

How the hell should I be able to answer what is wrong, when it doesnt tell me anything?

It is a fresh install from scratch on 2.0 RC1 and the 1.2.3 machine is both running in the same VM environment. FreeBSD 32bit.

So unless you can tell me where to find logs that tells me what is wrong, then I suggest you take it easy.

Try to help instead of patronizing me...

jlepthien

You could start by telling us EXACTLY what you did to set it up. 'doesn't work' is not really a helpful problem description. Give us every step you did and we can help you telling where you did wrong…

Supermule

I setup the box….add'ed the interfaces...WAN, LAN and OPT1. Gave them the relevant IP address ranges, did the rules and port forwards and put it online. Nothing came through to the relevant servers behind. Every internal website was going to the login page of PFSense. I couldnt access the sites from outside either. Despite the block-all rule coming last in the rule list. Everything was setup just like 1.2.3 and nothing worked. Gateway was given and I could access external sites just fine. It didnt change anything if I enabled or disabled the NAT reflection. Rebooted 3 times to see if it would change things...it did not. Upgrade to newer snapshots didnt work either.

GruensFroeschli

To what is your external IP set in the port forward?
("any" would be wrong)

Supermule

Interface address….. :)

jlepthien

Please post your configuration and mask all confidential information in there. Then we can have a look at it…

Supermule

Will set it up again this evening with the latest snap…. Deleted it in VMWare out of sheer anger :D

jlepthien

Also do some tests from outside afterwards. eg 'telnet hostname port' to see if you get a connection. For NAT reflection to work you also need to disable the check on System->Advanced->Firewall/NAT for the reflection…

If it doesn't work post your configuration or at least screenshots. If you say I set up the rules, how are we supposed to know you did everything right? Did you just add the firewall rule or also the NAT rule? More details please. Source, destination and so on. But again, just post your configuration would be easier. I am still on the first RC snap and it is working with it.

Supermule

Will do!

Supermule

This is my config…

Just a test setup, but still doesnt work.

<pfsense><version>7.6</version>
<lastchange><theme>pfsense_ng</theme>
<sysctl><tunable>debug.pfftpproxy</tunable>
<value>default</value>
<tunable>vfs.read_max</tunable>
<value>default</value>
<tunable>net.inet.ip.portrange.first</tunable>
<value>default</value>
<tunable>net.inet.tcp.blackhole</tunable>
<value>default</value>
<tunable>net.inet.udp.blackhole</tunable>
<value>default</value>
<tunable>net.inet.ip.random_id</tunable>
<value>default</value>
<tunable>net.inet.tcp.drop_synfin</tunable>
<value>default</value>
<tunable>net.inet.ip.redirect</tunable>
<value>default</value>
<tunable>net.inet6.ip6.redirect</tunable>
<value>default</value>
<tunable>net.inet.tcp.syncookies</tunable>
<value>default</value>
<tunable>net.inet.tcp.recvspace</tunable>
<value>default</value>
<tunable>net.inet.tcp.sendspace</tunable>
<value>default</value>
<tunable>net.inet.ip.fastforwarding</tunable>
<value>default</value>
<tunable>net.inet.tcp.delayed_ack</tunable>
<value>default</value>
<tunable>net.inet.udp.maxdgram</tunable>
<value>default</value>
<tunable>net.link.bridge.pfil_onlyip</tunable>
<value>default</value>
<tunable>net.link.bridge.pfil_member</tunable>
<value>default</value>
<tunable>net.link.bridge.pfil_bridge</tunable>
<value>default</value>
<tunable>net.link.tap.user_open</tunable>
<value>default</value>
<tunable>kern.rndtest.verbose</tunable>
<value>default</value>
<tunable>kern.randompid</tunable>
<value>default</value>
<tunable>net.inet.ip.intr_queue_maxlen</tunable>
<value>default</value>
<tunable>hw.syscons.kbd_reboot</tunable>
<value>default</value>
<tunable>net.inet.tcp.inflight.enable</tunable>
<value>default</value>
<tunable>net.inet.tcp.log_debug</tunable>
<value>default</value>
<tunable>net.inet.icmp.icmplim</tunable>
<value>default</value>
<tunable>net.inet.tcp.tso</tunable>
<value>default</value>
<tunable>kern.ipc.maxsockbuf</tunable>
<value>default</value></sysctl>
<system><optimization>normal</optimization>
<hostname>pfsense</hostname>
<domain>localdomain</domain>
<group><name>all</name>

<scope>system</scope>
<gid>1998</gid>
<member>0</member></group>
<group><name>admins</name>

<scope>system</scope>
<gid>1999</gid>
<member>0</member>
<priv>page-all</priv></group>
<user><name>admin</name>

<scope>system</scope>
<groupname>admins</groupname>
<password>xxxx</password>
<uid>0</uid>
<priv>user-shell-access</priv></user>
<nextuid>2000</nextuid>
<nextgid>2000</nextgid>
<timezone>Europe/Copenhagen</timezone>
<time-update-interval><timeservers>dk.pool.ntp.org</timeservers>
<webgui><protocol>http</protocol>
<ssl-certref>xxx</ssl-certref></webgui>
<maximumstates><maximumtableentries><enablebinatreflection>yes</enablebinatreflection>
<reflectiontimeout><dnsserver>8.8.8.8</dnsserver>
<dnsserver>208.67.222.222</dnsserver>
<dnsserver>195.67.199.39</dnsserver>
<dnsserver>195.67.199.40</dnsserver>
<dnsallowoverride><firmware><allowinvalidsig></allowinvalidsig></firmware>
<gitsync><branch></branch></gitsync></dnsallowoverride></reflectiontimeout></maximumtableentries></maximumstates></time-update-interval></system>
<interfaces><wan><enable><if>em0</if>
<blockpriv><blockbogons><media><mediaopt><spoofmac><ipaddr>xxx.xxx.201.114</ipaddr>
<subnet>28</subnet>
<gateway>Telia</gateway></spoofmac></mediaopt></media></blockbogons></blockpriv></enable></wan>
<lan><enable><if>em1</if>
<ipaddr>192.168.1.1</ipaddr>
<subnet>16</subnet>
<media><mediaopt></mediaopt></media></enable></lan>
<opt1><if>em2</if>

<enable><spoofmac><ipaddr>192.168.10.1</ipaddr>
<subnet>24</subnet></spoofmac></enable></opt1></interfaces>
<staticroutes><dhcpd><lan><range><from>192.168.1.100</from>
<to>192.168.1.199</to></range></lan></dhcpd>
<pptpd><mode><redir><localip></localip></redir></mode></pptpd>
<dnsmasq><enable><domainoverrides><domain>netxxxxxx.dk</domain>
<ip>192.168.1.1</ip></domainoverrides></enable></dnsmasq>
<snmpd><syslocation><syscontact><rocommunity>public</rocommunity></syscontact></syslocation></snmpd>
<diag><ipv6nat></ipv6nat></diag>
<bridge><syslog><nat><ipsecpassthru><enable></enable></ipsecpassthru>
<rule><source>
<any><port>25</port>

<destination><network>wanip</network>
<port>25</port></destination>
<protocol>tcp</protocol>
<target>ISA</target>
<local-port>25</local-port>
<interface>wan</interface>
<descr><associated-rule-id>nat_4d6f7924b70f14.73209842</associated-rule-id></descr></any></rule>
<rule><source>
<any><port>80</port>

<destination><network>wanip</network>
<port>80</port></destination>
<protocol>tcp</protocol>
<target>ISA</target>
<local-port>80</local-port>
<interface>wan</interface>
<descr><associated-rule-id>nat_4d6f795e7b5fa4.72362536</associated-rule-id></descr></any></rule></nat>
<filter><rule><source>
<any><port>25</port>

<interface>wan</interface>
<protocol>tcp</protocol>
<destination><address>ISA</address>

<port>25</port></destination>

<associated-rule-id>nat_4d6f7924b70f14.73209842</associated-rule-id></any></rule>
<rule><source>
<any><port>80</port>

<interface>wan</interface>
<protocol>tcp</protocol>
<destination><address>ISA</address>

<port>80</port></destination>

<associated-rule-id>nat_4d6f795e7b5fa4.72362536</associated-rule-id></any></rule>
<rule><id><type>block</type>
<interface>wan</interface>
<tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp/udp</protocol>
<source>
<any><destination><any></any></destination></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule>
<rule><type>pass</type>

<interface>lan</interface>
<source>
<network>lan</network>

<destination><any></any></destination></rule></filter>
<shaper><ipsec><preferoldsa></preferoldsa></ipsec>
<aliases><alias><name>ISA</name>

<address>192.168.1.50</address>

<descr><type>host</type>
<detail></detail></descr></alias></aliases>
<proxyarp><cron><minute>0</minute>
<hour></hour>
<mday></mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 newsyslog
<minute>1,31</minute>
<hour>0-5</hour>
<mday></mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 adjkerntz -a
<minute>1</minute>
<hour>3</hour>
<mday>1</mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 /etc/rc.update_bogons.sh
<minute>/60</minute>
<hour></hour>
<mday></mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout
<minute>1</minute>
<hour>1</hour>
<mday></mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 /etc/rc.dyndns.update
<minute>/60</minute>
<hour></hour>
<mday></mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot
<minute>30</minute>
<hour>12</hour>
<mday></mday>
<month></month>
<wday>*</wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 /etc/rc.update_urltables</cron>
<wol><rrd><enable></enable></rrd>
<load_balancer><monitor_type><name>ICMP</name>
<type>icmp</type></monitor_type>
<monitor_type><name>TCP</name>
<type>tcp</type></monitor_type>
<monitor_type><name>HTTP</name>
<type>http</type>

<options><path>/</path>
<host>200</host></options></monitor_type>
<monitor_type><name>HTTPS</name>
<type>https</type>

<options><path>/</path>
<host>200</host></options></monitor_type>
<monitor_type><name>SMTP</name>
<type>send</type>

<options><send>EHLO nosuchhost</send>
<expect>250-</expect></options></monitor_type></load_balancer>
<widgets><sequence>system_information-container:col1:show,captive_portal_status-container:col1:close,carp_status-container:col1:close,cpu_graphs-container:col1:close,gateways-container:col1:close,gmirror_status-container:col1:close,installed_packages-container:col1:close,interface_statistics-container:col1:close,interfaces-container:col2:show,ipsec-container:col2:close,load_balancer_status-container:col2:close,log-container:col2:close,picture-container:col2:close,rss-container:col2:close,services_status-container:col2:close,traffic_graphs-container:col2:close</sequence></widgets>
<revision><time>1299152187</time>

<username>admin</username></revision>
<openvpn><l7shaper><container></container></l7shaper>
<dnshaper><cert><refid>4d6f3f19cede8</refid>

<crt>xxx</crt>
<prv>xxx</prv></cert>
<ppps><gateways><gateway_item><interface>wan</interface>
<gateway>xx.xxx.201.113</gateway>
<name>Telia</name>
<weight>1</weight>
<descr><defaultgw></defaultgw></descr></gateway_item></gateways></ppps></dnshaper></openvpn></wol></proxyarp></shaper></syslog></bridge></staticroutes></lastchange></pfsense>

wallabybob

I may not be interpreting your config.xml correctly but it looks to me that you have configured your port forwarding rules incorrectly. For example, the rule for SMTP port forwarding apparently says source port=25 and destination port=25. It is very unlikely that an access attempt to your SMPT server will come from port 25. Sure, it will be headed for destination port 25. I think you should have a source port of Any (* in the web GUI). I didn't look at your other port forwarding rules.

Supermule

Works fine in 1.2.3.And has been all the time.

jlepthien

External port must be any. Never does a server connect from his port 25 to 25….

Supermule

Not even if you relay to somewhere else?

@jlepthien:

External port must be any. Never does a server connect from his port 25 to 25….

jlepthien

A connection always comes from a port >1023 to the destination service port like 80 or 25…

Supermule

My ISP provides relay on the test setup on port 25….works like a charm.

wallabybob

It looks to me that your port forwarding rule for SMTP will match only packets arriving on the WAN interface if the source port is 25 and destination port is 25.

I think you should look closely at your firewall logs to see how many access attempts to your SMTP server come from port 25.

My SMTP port forwarding rule specifies source port=any destination port=25. My rule works. Your rule is more restrictive than mine and doesn't work.

Repeat above (with appropriate port number changes) for every port forward in which you have specified source port = destination port.

Supermule

I have no issues at all with mail…. :) I do understand what you mean, but it works fine.

Guest

Wow, that is surprising that 1.2.3 works with that those port forwards. I noticed your RDP ports, and wanted to let you know you can change windows' default RDP port through the registry. Though you're achieving the same affect by using NAT, which is pretty cool :-)

So your ISP is doing NAT for you. Does that mean that when it sees a packet with a destination port 25 (or whatever), it relays/forwards it to you from port 25 making the source 25? That's a bit interesting.