NAT with SOAP
-
Hi,
I run a cpanel server inside pfsense using nat.
Everything works fine except for soap requests.
When I perform a test I get a timeout and I can only guess that it is something to do with the request not coming back through the correct route.
It's only a theory that this is the problem but now I am stuck on what to do.
Has anyone had a similar issue and is able to help to resolve it?
-
Have you looked in the firewall log to see if any packets are being blocked?
Status -> System Logs -> Firewall
-
Yes. Nothing in the logs. Anywhere.
-
If there's nothing in pf's firewall log then it's likely that pf isn't directly involved in the failure. My next step would be a packet capture. Other things to check would be host firewall and host routing.
-
You have to think through logically how the SOAP protocol works and where your source and destination IPs are. Are you sending something from the internet into your local network? Is port 80 (this is what SOAP uses, no?) properly forwarded? Is port 80 maybe being intercepted by the management process of the pfSense firewall? Does SOAP require any funky backwards (server to client) or secondary connections (connect to 80, negotiate client-server connect to other port a la RPC) that might not be forwarded properly?
One other thing you can try is to define a custom service with the destination port TCP 80 and set the inbound (internet -> server) policy to use this new TCP 80 service and not the built-in HTTP service. Some firewalls (I'm not too familiar with pfSense, admittedly) have helper-processes that look deep into the application layer to see what's going on in the application stream, and if the SOAP protocol "looks" different than a regular HTTP request, the firewall may flag it as invalid and drop the packets. Defining a custom service will tell the firewall to only look at layer 4 (TCP/UDP Ports) and no further, ensuring that non-standard protocols using standard ports will be properly forwarded without firewall interference.
