[1:1 NAT] cant reach my machines from internet

stephenw10

Ok, so check your firewall logs. Both in the pfSense box and in the Windows VM if you have a local firewall running there.

One thing you can try is that the IP Alias (virtual IP) will respond to ping requests as long as you have a firewall rule in place on WAN to allow ICMP traffic and that it isn't NAT'd to an internal box. By adding a firewall rule and removing the 1:1 NAT you can test that at least youe ISP is routing traffic correctly as far as the pfSense box.

Steve

robby1337

Hello stephen,

thanks for your patience with me :P

@stephenw10:

Ok, so check your firewall logs. Both in the pfSense box and in the Windows VM if you have a local firewall running there.

With an activated 1:1 NAT, theres no action logged from my, to the destination ip or anything like that, even no logged connections on the specific ports (logging of rules is activated). :(

One thing you can try is that the IP Alias (virtual IP) will respond to ping requests as long as you have a firewall rule in place on WAN to allow ICMP traffic and that it isn't NAT'd to an internal box. By adding a firewall rule and removing the 1:1 NAT you can test that at least youe ISP is routing traffic correctly as far as the pfSense box.

If the 1:1 Rule is deactivated, i can ping my ip successfully and theres an log entry in fw. :(

stephenw10

Hmm, odd.
Perhaps check the state table when you are trying to connect to the server.
If you have logging enabled on the firewall rule allowing the traffic I would expect to see something though. :-\

Steve

robby1337

@stephenw10:

Hmm, odd.

Yes :( :(

Perhaps check the state table when you are trying to connect to the server.
If you have logging enabled on the firewall rule allowing the traffic I would expect to see something though. :-\

Theres no entry in the states table, which fits to my query to the destination IP or Port. :/

Hmpf, mysterious :(

regards,

Robert

stephenw10

Nothing in state table or firewall logs but applying the 1:1 NAT prevents the VIP responding to pings. It seems as though the NAT config must be wrong. I can't see what that be.
Some issue with the virtual environment? :-\

Steve

robby1337

@stephenw10:

Nothing in state table or firewall logs but applying the 1:1 NAT prevents the VIP responding to pings. It seems as though the NAT config must be wrong. I can't see what that be.
Some issue with the virtual environment? :-\

It's a fresh dedicated server (R410), and w/o the 1:1, i can ping my IPs. so i dont think it's a problem with the environment, or?

Any idea what i can test else? :(

stephenw10

Ah, so you're running bare metal. without ESXi?

In my test setup here it's working perfectly so it's hard to know what to suggest. :-
Anyone else?

You could try using individual port forwards instead of 1:1 NAT.

Since you are (or were) running virtualised you could try adding another virtual NIC in VMWare for the second WAN IP instead of using a virtual IP in pfSense.

Steve

robby1337

@stephenw10:

Ah, so you're running bare metal. without ESXi?

No, ofc you're right. It's running on ESXi. lil missunderstanding. :p

Do you think somethings wrong with my ESXi? Mh, cant see what it could be and how i can test it ^^

In my test setup here it's working perfectly so it's hard to know what to suggest. :-\

i know :(

You could try using individual port forwards instead of 1:1 NAT.
Since you are (or were) running virtualised you could try adding another virtual NIC in VMWare for the second WAN IP instead of using a virtual IP in pfSense.

Okay, i will try tomorrow.

Thanks steve!

robby1337

puh, a few days w/o time to try.

I've deactivated the 1:1 and added a Port FW to the internal IP of my VM, see attached the port forward.

VM is online, still no connection vom outside. :(

PFW.jpg_thumb

stephenw10

Hmm, intersting. Usually, with a common port forward, you specify the destination IP and it would usually be the WAN address. However here you are using the IP alias. I guess it should work without specifying the destination IP, you could also try setting the destination as the IP alias address.
Using an additional virtual NIC in ESXi for the WAN would make things a lot more straight forward in many ways. The additional IP will appear as a completely separate interface so you can select it in 1:1 NAT or port forwards.

Are you able to test it from a locally connected machine on the pfSense WAN side? My test setup here was using series of pfSense boxes behind each other. The box doing the 1:1 NAT with the IP Alias was using private IPs on both WAN and LAN and I was testing from the WAN subnet directly.

Steve

robby1337

@stephenw10:

Hmm, intersting. Usually, with a common port forward, you specify the destination IP and it would usually be the WAN address. However here you are using the IP alias. I guess it should work without specifying the destination IP, you could also try setting the destination as the IP alias address.

Not sure i understand you right and what you mean with:

Using an additional virtual NIC in ESXi for the WAN would make things a lot more straight forward in many ways. The additional IP will appear as a completely separate interface so you can select it in 1:1 NAT or port forwards.

The problem is, my VM is only online, if i define the 192.168.1.101 for her. With the 192.168.1.101, it has the main ip from pfSense for outgoing traffic into the internet. If i use an IP-Adresse from my subnet, i cant get the machine online. Which GW do i have to use in this case?

I've created a PFW where i used the pfSense ip as the "NAT IP", which is equal to the IP of my first WinVM, but even then it wont work.

Are you able to test it from a locally connected machine on the pfSense WAN side? My test setup here was using series of pfSense boxes behind each other. The box doing the 1:1 NAT with the IP Alias was using private IPs on both WAN and LAN and I was testing from the WAN subnet directly.

Okay, will test and update here soon.

edit Okay, i added the Test-VM to my WAN-Interface and configured the 2nd IP (aaa.bbb.0.1) from my subnet for it. It says it has a n internet connection, but it didnt.

But as i said, im not sure i understand you correctly. Sorry if not ._.

pfSense.jpg_thumb

robby1337

I've reinstalled pfSense.
Created the 1:1 again and my machine has my subnet ip in outbound. I still can't reach her from the internet, but i see the requests in my Firewall now, if i try to connect to RDP or ping the ip. I think thats a small step ^^

Im wondered, why he shows the request as 'PASS' in Logs.

icmp.jpg_thumb

stephenw10

Aha! Yes that is a step forward. It's showing as 'pass' because it's matching the pass rule you setup to allow the forwarded traffic.
Ok, so that confirms that the box is reiving the traffic on the virtual IP, NATing it to the internal address and allowing it to pass through the WAN firewall. Yet you aren't seeing it at the server?
Could you have some asemetric routing issue? Perhaps the returning traffic is not matching the open firewall state? Do you have a rule to allow the return traffic if it isn't? Anything in the firewall logs to show that?

Edit: What is you current WAN firewall rule? Reading back I see that your original rule was for IPv4/TCP only which won't allow ICMP (ping).

Steve