Firewall Rule / Routing Help Please
-
Thanks for the direction, I did some more checking using the ping and trace route from PF to the 172.20.20.254 gateway. I am seeing "ICMP time exceeded in-transit" Errors. This make would make sense on why the windows machines would be working while I am having problems with the Linux machines. Is there any why to troubleshoot this further on the pfsense side?
Thanks!!
-
did you do a traceroute and ping from the Linux server as well as the windows to compare the difference? Perhaps the default route (gateway) in the linux system is not correct.
-
Hi… Got some of it figured out... it was a MTU issue, I increased the MTU on the pfSense interface and all is working.
Now on to port forwarding... running into some more troubles.
I set up the port forward rule with no luck pfSense interface 192.168.6.254 I set up a virtual interface 192.168.6.51 that I would like to port forward to 172.31.17.82.
pfSense looks like
IF = OPT2 proto=tcp Src add = * src port = * Dest add = 192.168.6.51 Dest port = 443 nat ip = 172.31.17.82 nat port =443.I get nothing... strange thing is when I change the dest port to 8080 for the fun of it the web server replies that I should be using a https request. I am lost, I didn't expect that result, does anyone have any suggestions. thought that I should mention this is comming from an opt interface to forward the traffic to the lan not the WAN.
Thanks
-
Is this a configuration on the outbound NAT or the inbound port forwarding?
-
Hi this is on the Port Forward tab, I have not touched anything in the outbound configuration. Is there something that I need to do in there as well?
Thanks
-
If I understand what you are looking to do, yes, you need to setup advanced rules to NAT the traffic between OPT2 and LAN.
-
THe OPT2 will be the interface that Is connected to a larger coproate network… looks something like this
Wan
Lan - Managment Network (Syslog,Vcenter,ad)
OPT1 - Web Servers Servers
OPT2 - cisco network connected to a firewall that is connected to a large network controlled be someone else
We are trying to get NAT and port forwarding in place for the OPT2 to point to the OPT1 network because there are ip conflicts between the OPT1 and the other controlled network connected to OPT2I would have thought that the port forwarding would have handled everything and I would not need to do nat, but I guess it makes sense for the responding packets
would my source be the OPT1 network
Destination would be OPT2
and the nat address the virtual IP?Would I configure this in the outbound NAT??
I have looked a little bit but I am trying to figure out the Source Destination and translation
I have found that the MTU seems to be an issue for me, any insight on the best way to control this problem.
Thanks
-
Port forwarding will handle connections originating inbound, but not originating from within. You must use AON to handle those type of connections.
You said IP conflicts, which means to me that you have them on the same subnet. There will be no routing in that case and you will need to create a different subnet if you want to have a firewall or router in between them. Not sure why MTU would make any difference in both are in a 10/100 network. -
update: The port forwarding that I am using is originating from the opt3 interface but I understand what you mean. The ip conflicts come from the other network that is behind the a differnet firewall. We are both using nat and port forward to create a work around hope that makes more sense. I have a different system administrator on the other side.
After looking at and configuring a lower MTU on the linux host, all is working great. I have read some other posts that pfsense has some troubles handeling packets fragments.. but it looked like for the older versions… there were a couple of solutions... but I could not find a solution that works for me. I am not sure if it is pfSense problem completley because I only have problems with the linux servers. Might be a combination... but a weird one... any one else experiance this and have any insight.
podilarius ... you had mentioned that I should be using AON.... would this resolve this issue... as I am not using this senario currnetly and thinks are working?
thanks for your help
-
I like the granular control of AON. If it is working, let it work.