No x-forwarded-for with port forward NAT
-
Hi all.
I have a strange problem , 2.0.1-RELEASE (amd64) . Im using NAT port forward to NAT my web server income traffic
on to Apache load balancer who is using mod_proxy .
I have same settings with different other firewalls ( iptable/Forinet/Chechpoint ) and dont have that problem .
when I look at the headers I see the PFS internal interface IP .
I googled but found nothing on this , as well as in this forums .
is there an attribute I need to check in order for that to work , or am I missing something ?Thanks
Yan -
NAT won't mess with anything inside your packets, so this is working as expected.
-
Are you trying to verify this from within your network or outside of your network?
-
I have tested both from inside the LAN and from outside , on both cases
the results where the same , the x-forwarded-for shows one IP and its the LAN interface IP .
I have also try to hit from behind a proxy that I have set using squid , when i set this squid to other firewalls i have
the results are as expected , but on 2 cases where I have pfsense the results are LAN interface IP only .This are the firewall rules i got from the conf file
<rule><source> <any><interface>wan</interface> <protocol>tcp/udp</protocol> <destination><address>192.168.0.4</address> <port>443</port></destination> <associated-rule-id>nat_4f6b3e66ac6410.97810288</associated-rule-id></any></rule> <rule><source> <any><interface>wan</interface> <protocol>tcp/udp</protocol> <destination><address>192.168.0.4</address> <port>80</port></destination> <associated-rule-id>nat_4f6b3ed0bcbd93.23368410</associated-rule-id></any></rule>
and this is the NAT settings
<nat><advancedoutbound><rule><source> <network>192.168.0.0/24</network> <dstport>500</dstport> <target><interface>wan</interface> <destination><any></any></destination> <staticnatport></staticnatport></target></rule> <rule><source> <network>192.168.0.0/24</network> <sourceport><target><interface>wan</interface> <destination><any></any></destination> <natport></natport></target></sourceport></rule></advancedoutbound></nat>
-
Try just TCP only. Web Traffic does not flow on UDP.
-
Port forwarding by NAT gateways doesn't touch packet content.
The X-forwarded… you're referring to is only used by L7 http reverse-proxies (load-balancers etc)