NAT from external works great.. internal.. bad?

key4ce

Hello,

Well i got a strange problem.. everything external seems to work perfect..
However from for example my laptop to a Webserver thats located within the lan: FTP can not view files (stuck at binary connection)
HTTPS: seems to load but then states "connection interupted" 
HTTP: Runs fine.

Now i got multiple IP's on a single WAN
their setup as IP Aliases

i got my own private public ip subnet of 8 ips.

Aliases all seem fine from outside.. however from within the local lan i think the routing goes horrably wrong.

The rule for example:
[All traffic matching this NAT entry is passed] WAN TCP/UDP * * 88.159.83.165 Web1_TCP_UDP 192.168.0.52 *

where 88.159.83.165 is the public IP Alias set under Dest. addr.
192.168.0.52 is the local webserver.

Web1_TCP_UDP got port 443 , 80 etc etc.. so HTTPS should technically work fine…
from external: can load https site (https://key4ce.com) fine.
and can load http site (http://key4ce.com)  fine.

From internal with laptop: can't load https and CAN load http.
https complains about being interupted (it starts loading then suddenly stops)

this is from multiple internal pc's.

I got Manual Outbound NAT rule generation
          (AON - Advanced Outbound NAT)
turned on.. i am not sure if thats related to this issue.
(the reason why it's turned on is because we got services like VOIP that need to register under an alias ip on external SIP's. and not under the default WAN ip)

Does anyone have any idea on where i should look next? or what my misconfiguration is?

Regards,
Marco

GruensFroeschli

http://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F

key4ce

I already seen that one..
I used method 1: NAT Reflection.
those rules are set to reflect and it's unchecked in advanced settings. (this is why HTTP works for example.. it only seems to cut off some services and allow others fine)

DNS Method is not possible as we host over 1000 domains where we should be able to connect to from local when needed (for example FTP that doesn't function)

I also got the LAN Rules as pdf describes and outbound (last one for all internal 192.168.0.0/24) all setup.

i think the supprising part is that i get interupted..
FTP is also logging in first.. then stops at Binary DATA protocol.
HTTPS loads for few seconds then suddenly stops and says interupted.

Is there any protocol or option inside pfSense that interupts or time-out connections within a few seconds?

Regards,
Marco

PS: thanks for the quick reply!

GruensFroeschli

How many NAT reflects are you talking about?
Just since you say you host over 1000 domains….

NAT reflection will not start if you forward ranges >500 and/or more than 1000 reflects in total.

key4ce

not more then 1000 reflects in total?
i did read about the not larger then 500 ports (this is probably the problem for FTP as it's passive with dynamic port range)
which is not that big of a deal as revising FTP server was the next on the list (after changing firewall.. we used to have ipcop before this.. pfsense freebsd based is alot more to our likings :))

is there anyway to manually add simular reflect rules?
for example to force https to work?

key4ce

Alright..
just to test i modified the ranged ports to be seperated (and not reflected) instead of inside alias and reflected.
i didn't specifically count it all but i am very sure it isn't 1000 reflections.

however.. HTTPS still doesn't work..
is there any option that prevents https to work on a ALIAS IP?
Lockout mode is disabled (tho that should only mostly matter to WAN main ip)

Regards,
Marco

key4ce

Well.. after screwing around for several days.. still no real luck on getting this done the right way…
To bad.. cause i really liked all functions.. but really.. their useless if their not reachable by local LAN and only External people.

So we went looking for other projects.. ended up with Endian where this problem is solved by 4 clicks:

Source nat (outbound) tab:
Source: 192.168.0.0/24
Destination (interface): GREEN
NAT to: Auto
(the last one is normally the external ip for all other outbound rules)

So for a future request: please add something similar or effective for inbound traffic.
As in the end.. clusters.. clouds..Active directory and actually nearly every service these days should be DNS based.. which no one with a larger network will split up with inbound and outbound dns etc etc and most functions of PFsense --> ARE for larger networks so this is kind of a real miss if you ask me.

Regards,
Marco