Does PureNAT for Reflection in 2.2.1 even work?
-
Those look sane. Are you redirecting it back out the same interface it came in on in this case? What do the resulting firewall states look like if you filter under Diag>States for something that should be reflected?
On an unrelated note, how'd you end up with igb and vmx NICs on the same system? Or is that combining from other systems?
-
These are the two states that try to make the connection:
LAN tcp 192.168.10.28:443 (98.207.23.137:443) <- 192.168.10.2:58131 CLOSED:SYN_SENT
WAN tcp 73.222.4.232:9604 (192.168.10.2:58131) -> 192.168.10.28:443 SYN_SENT:CLOSED -
These are the two states that try to make the connection:
LAN tcp 192.168.10.28:443 (xx.207.23.137:443) <- 192.168.10.2:58131 CLOSED:SYN_SENT
WAN tcp xx.222.4.232:9604 (192.168.10.2:58131) -> 192.168.10.28:443 SYN_SENT:CLOSEDLooks like a multi-wan issue? LAN is making a connection to WAN2 (xx.207.23.137) and the second line, WAN (xx.222.4.232) is making the reply?
The reason why I have igbX because my two WAN connections are PCI passthrough devices. VMX is my lan connection with is a 10G SFP+ connection to my lan switch.
-
My next guess was going to be the traffic hitting a firewall rule that forces it out to the gateway in question. Add a rule above any rule specifying a gateway or gateway group, matching destination of your local WAN IPs and internal LAN IPs, and try again. Suspect that'll work.
The reason why I have igbX because my two WAN connections are PCI passthrough devices. VMX is my lan connection with is a 10G SFP+ connection to my lan switch.
Ah ok, I was wondering if there was some new virtual NIC type I hadn't heard of, that makes sense now.
-
Right now, I can't find a rule that will match my packet so i'm at a complete lost as to what is going on. Maybe someone smarter than me could reproduce and debug this on their end…
-
Or you could post your rules.
-
Whatever interface the traffic is sourced on is where the rule(s) in question reside.
-
"VMX is my lan connection with is a 10G SFP+ connection to my lan switch."
Home network my ass ;)
Pretty highend home network.. But too cheap to buy more than 1 public IP? So your doing redirection via port?
-
Well, I just play with fancy gear (got the sg500x switch for too cheap!). I really don't know how one could set up a network with all these options you mentioned. I was looking into buying a domain name so I can configure all my https services with proper certificates but that's a daunting task right now. I just know simple network confit and nat reflection is what I know from cheap Linux routers.
-
you don't know how to buy a domain but you have a sg500x with 10g sfps? ;) And you like people having to put in urls like www.something.tld:1234 ? And then you redirect that again to :4567 on your private side?
So you have multiple hosts behind pfsense running all these different sites? Or just one – so you don't know about host headers and virtual domains, or how to serve up multiple sites off a httpd ?
So what speed of internet do you have that your hosting all these sites? To be honest there is little point to hosting anything off a "home" internet connection but if you need more than 1 IP so you don't have to use ports for host headers and virtual hosts in your httpd, etc. Then call your isp and tell them you need more IP addresses.
-
I know what you mean but i'm trying to port forward some security cameras. When I'm connected internally, the ip cam application points to xxx.dyndns.org:8081, 8082 and when i'm external to the network, they should just work. That is why I need reflection in my case.
-
This thread has already been over
so lets say I have 3 cams
cam1.dyndns.tld:8081
cam2.dyndns.tld:8082
cam3.dyndns.tld:8083now cam1,2 and 3 all point to your public IP lets call it 4.5.6.7, and your cameras on the inside are 192.168.1.101,102 and .103
Are your cameras listening on 8081 and 8082 and 8083 or do you forward to say 80?? Really should forward to the ports your actually listening on. if cams listen on those ports your urls still work just fine be it outside or inside your network.
Also having your cameras open to the public net is not a good idea to be honest. Why don't you just vpn in and use the private IPs directly. This makes it simple and more secure.. Nat reflection is to be honest never a good idea ;)