No x-forwarded-for with port forward NAT

yyagol · Sep 5, 2012, 2:06 PM

Hi all.
I have a strange problem , 2.0.1-RELEASE (amd64) . Im using NAT port forward to NAT my web server income traffic
on to Apache load balancer who is using mod_proxy .
I have same settings with different other firewalls ( iptable/Forinet/Chechpoint ) and dont have that problem .
when I look at the headers I see the PFS internal interface IP .
I googled but found nothing on this , as well as in this forums .
is there an attribute I need to check in order for that to work , or am I missing something ?

Thanks
Yan

SeventhSon · Sep 10, 2012, 9:43 PM

NAT won't mess with anything inside your packets, so this is working as expected.

podilarius · Sep 10, 2012, 9:46 PM

Are you trying to verify this from within your network or outside of your network?

yyagol · Sep 24, 2012, 7:17 AM

I have tested both from inside the LAN and from outside , on both cases
the results where the same , the x-forwarded-for shows one IP and its the LAN interface IP .
I have also try to hit from behind a proxy that I have set using squid , when i set this squid to other firewalls i have
the results are as expected , but on 2 cases where I have pfsense the results are LAN interface IP only .

This are the firewall rules i got from the conf file


                <rule><source>
                                <any><interface>wan</interface>
                        <protocol>tcp/udp</protocol>
                        <destination><address>192.168.0.4</address>

                                <port>443</port></destination> 

                        <associated-rule-id>nat_4f6b3e66ac6410.97810288</associated-rule-id></any></rule> 
                <rule><source>
                                <any><interface>wan</interface>
                        <protocol>tcp/udp</protocol>
                        <destination><address>192.168.0.4</address>

                                <port>80</port></destination> 

                        <associated-rule-id>nat_4f6b3ed0bcbd93.23368410</associated-rule-id></any></rule>

and this is the NAT settings

 <nat><advancedoutbound><rule><source>
                                        <network>192.168.0.0/24</network>

                                <dstport>500</dstport>

                                <target><interface>wan</interface>
                                <destination><any></any></destination> 
                                <staticnatport></staticnatport></target></rule> 
                        <rule><source>
                                        <network>192.168.0.0/24</network>

                                <sourceport><target><interface>wan</interface>
                                <destination><any></any></destination> 
                                <natport></natport></target></sourceport></rule></advancedoutbound></nat>

podilarius · Sep 24, 2012, 12:53 PM

Try just TCP only. Web Traffic does not flow on UDP.

dhatz · Sep 24, 2012, 1:25 PM

Port forwarding by NAT gateways doesn't touch packet content.

The X-forwarded… you're referring to is only used by L7 http reverse-proxies (load-balancers etc)