NAT not working for http

PMiND

Hi,

I recently installed PFSense 2.1. Currently using this for making an isolated preproduction environment on my network.

WAN nic : 10.0.21.253 / 10.0.21.250(ViP)
LAN nic: 10.0.11.198
Preproduction gateway: 10.0.11.232
Web server : 10.0.11.217

So, i've done a NAT/firewall rule for RDP (3389) to the preproduction gateway and it's successful. However, no matter how i do it, i seem not to be able to make one for the web server on port 80. When I check in the logs, it keeps telling me that a rule is blocking it.

Label of the rule: 3 block drop in log inet all label "Default deny rule IPv4" However, i'm not able to find it anywhere.

My GUI is running on HTTP. I tried to make it run on HTTPS, but i always get certificate errors and stuff, and in the end i get locked out and need to restore config. So i made a Virtual IP on 10.0.21.250 and try to make the nat work with this IP.

Where do i fail ?

thanks a lot in advance for your answers.

phil.davis

Label of the rule: 3 block drop in log inet all label "Default deny rule IPv4" However, i'm not able to find it anywhere.

pfSense puts unseen "block all" rules at the end of the ruleset, to ensure that it really is a firewall and all traffic that is not matched by a pass rule really gets blocked. Getting this rule mentioned in the firewall log simply means that you need to add a pass rule on the interface concerned to pass the traffic you want to allow.
PS: I don't understand you actual configuration, because "Preproduction gateway: 10.0.11.232" looks like it is inside the LAN subnet (10.0.11.198 is LAN IP). But I expect that the gateway out of a test system will still be some IP address in pfSense WAN subnet (that is probably itself a router on another LAN that is closer to the "real world").

PMiND

PS: I don't understand you actual configuration, because "Preproduction gateway: 10.0.11.232" looks like it is inside the LAN subnet (10.0.11.198 is LAN IP). But I expect that the gateway out of a test system will still be some IP address in pfSense WAN subnet (that is probably itself a router on another LAN that is closer to the "real world")

The preprod gateway is only a Win 2K3 server with TS licenses installed so people can RDP in it and access stuff.

pfSense puts unseen "block all" rules at the end of the ruleset, to ensure that it really is a firewall and all traffic that is not matched by a pass rule really gets blocked. Getting this rule mentioned in the firewall log simply means that you need to add a pass rule on the interface concerned to pass the traffic you want to allow.

Well I added the rule as well, but nothing seems to unblock the traffic, even if I click on the little "+" beside the blocked traffic in the logs.

Any thoughts ?

johnpoz

So your trying to do an inbound port forward (nat) from your wan to your lan IP.

So when you created the rule, did you let it create the firewall rule for you?  Seems lots of people like to uncheck the default of letting pfsense create the firewall rule.

You need to have the NAT that changes forwards the traffic from your wan IP on whatever port you want to your lan IP and port.  Then you need to have a firewall rule on the WAN that allows the traffic.

Also your tying to hit this from outside pfsense wan network.. or are you on the lan trying to hit your pfsense wan wanting to get forwarded back in.  That would be nat reflection and would have to be turned on as well if that is what your trying to do.

phil.davis

Then you need to have a firewall rule on the lan that allows the traffic.

1 char correction - for an inbound port forward the pass rule needs to be on WAN.
But, as johnpoz says, just let pfSense auto-create the rule for you when you add the port forward.

johnpoz

^ yup my bad, typo - corrected.  Thanks!

PMiND

@johnpoz:

So your trying to do an inbound port forward (nat) from your wan to your lan IP.

So when you created the rule, did you let it create the firewall rule for you?  Seems lots of people like to uncheck the default of letting pfsense create the firewall rule.

You need to have the NAT that changes forwards the traffic from your wan IP on whatever port you want to your lan IP and port.  Then you need to have a firewall rule on the WAN that allows the traffic.

I have good knowledge of how nat/firewalls work and i was coming here more in a "is there a bug, or am i really missing something here" kind of way..

So i made my NAT rule, then checked to see if the firewall rule was created for it. It was. Then i tried to troubleshoot, check in logs, etc.

And then i came here to see if I was the only one having problems with such a basic rule ;) I did a NAT rule for letting RDP in, FTP, no problem. HTTP? no way.

Also your tying to hit this from outside pfsense wan network.. or are you on the lan trying to hit your pfsense wan wanting to get forwarded back in.  That would be nat reflection and would have to be turned on as well if that is what your trying to do.

I installed this as a pre-production environment gateway. So basically, everything i'm trying to access is from WAN to LAN. My WAN here is my production lan :) So no loopback rule needed, only basic nating for port 80 needed.

johnpoz

Well nat for port 80 is not different than any other nat..  Takes all of 2 seconds to create just like any other nat.  If your nat and firewall rule is there..  Then either the traffic is not getting to pfsense for it to forward and allow, or your lan device your forwarding too is not listening or has a firewall blocking 80..

Or you have some firewall rule blocking it..  Your wan is private, but you say your other nats work - so have to assume you unchecked block private networks on the wan already.  Your statement of having issues with ssl certs and locking yourself out pointed to you being unskilled in even basic networking or IT - sorry if misread that.. But someone that locks themselves out because of selfsigned cert doesn't scream networking IT guru to me ;)

A couple of sniffs and you would actually know if you have something wrong in pfsense (possible bug) or where your problem is.

Sniff on pfsense wan - is the traffic there, sniff on pfsense lan does the traffic get forwarded - does the the server reply, etc.  This takes no more than 30 seconds to do.  Now you know where the issue is - be it before pfsense, after pfsense.

PMiND

Thanks guys for your help.

I finally found the solution and it wasn't in the pfSense config..

Since these servers are VM clones from the prod environment, the gateway of the webserver was still configured for the prod switch (which didn't exist in the preprod environment)

So changing the GW to the pfSense firewall made it !

And for the "locking out" thing .. i didn't say i was a network guru, but i know enough to tell that its not a normal behavior ;)

thanks to phil.david and johnpoz for taking the time to understand the problem =) have a good day sirs.

PMiND