No x-forwarded-for with port forward NAT

yyagol

Hi all.
I have a strange problem , 2.0.1-RELEASE (amd64) . Im using NAT port forward to NAT my web server income traffic
on to Apache load balancer who is using mod_proxy .
I have same settings with different other firewalls ( iptable/Forinet/Chechpoint ) and dont have that problem .
when I look at the headers I see the PFS internal interface IP .
I googled but found nothing on this , as well as in this forums .
is there an attribute I need to check in order for that to work , or am I missing something ?

Thanks
Yan

SeventhSon

NAT won't mess with anything inside your packets, so this is working as expected.

podilarius

Are you trying to verify this from within your network or outside of your network?

yyagol

I have tested both from inside the LAN and from outside , on both cases
the results where the same , the x-forwarded-for shows one IP and its the LAN interface IP .
I have also try to hit from behind a proxy that I have set using squid , when i set this squid to other firewalls i have
the results are as expected , but on 2 cases where I have pfsense the results are LAN interface IP only .

This are the firewall rules i got from the conf file

                <rule><source>
                                <any><interface>wan</interface>
                        <protocol>tcp/udp</protocol>
                        <destination><address>192.168.0.4</address>

                                <port>443</port></destination> 

                        <associated-rule-id>nat_4f6b3e66ac6410.97810288</associated-rule-id></any></rule> 
                <rule><source>
                                <any><interface>wan</interface>
                        <protocol>tcp/udp</protocol>
                        <destination><address>192.168.0.4</address>

                                <port>80</port></destination> 

                        <associated-rule-id>nat_4f6b3ed0bcbd93.23368410</associated-rule-id></any></rule> 

and this is the NAT settings

 <nat><advancedoutbound><rule><source>
                                        <network>192.168.0.0/24</network>

                                <dstport>500</dstport>

                                <target><interface>wan</interface>
                                <destination><any></any></destination> 
                                <staticnatport></staticnatport></target></rule> 
                        <rule><source>
                                        <network>192.168.0.0/24</network>

                                <sourceport><target><interface>wan</interface>
                                <destination><any></any></destination> 
                                <natport></natport></target></sourceport></rule></advancedoutbound></nat> 

podilarius

Try just TCP only. Web Traffic does not flow on UDP.

dhatz

Port forwarding by NAT gateways doesn't touch packet content.

The X-forwarded… you're referring to is only used by L7 http reverse-proxies (load-balancers etc)