1 public IP mapped to a private machine's IP address. How to make it work?

jauyzed

@viragomann:

Exactly the same text content as in Routing and MultiWAN: https://forum.pfsense.org/index.php?topic=127397.0
??

Try to access the web server by typing your external IP in the browser.
If you still cant reach the it use Packet Capture from pfSense Diagnostic menu to check if packet are forwarded to you by your ISP. Select WAN interface and port 80 and start the capture and try to access the website from the internet, stop it then and look if packet are shown.

The link you have posted led to a dead link  :(

I see the packets in the Packet Capture. Thanks for the info.

jauyzed

@Chromatics:

You must change the value of Dest. Address 10.1.10.102 to Interface Address(Public IP Address assigned to the WAN interface) to make it works.

If you try to reach the webserver from WAN via www.example.com, incoming packets to WAN will have their destination as the public IP, not 10.1.10.102.

Then pfSense will NAT these packets by the port forward rule, translating their destination to 10.1.10.102 and after that, it will resume filtering and routing them.

Also only setting that rule will not make the webserver accessible from any nodes from OPT1 or LAN via www.example.com name.
You will need to add more rules with everything same with the corrected WAN port forward rule but with different interfaces, each ones for LAN, OPT1.

However for the efficiency you may want to just use 10.1.10.102 inside OPT1 network for accessing the webserver or just want to set up another DNS server exclusive for that network.

I have changed the destination address in the NAT rules to my public IP. NAt ip is set to OPT1 host 10.1.10.102. On the browser or cmd curl http:// <mypubip>doesnt lead me anywhere :-(</mypubip>

Chromatics

Where did you tested it? The pfSense host itself? Or other computers from each networks?
I suggest you to test it from other computers from each networks, not the pfSense host itself.

jauyzed

@Chromatics:

Where did you tested it? The pfSense host itself? Or other computers from each networks?
I suggest you to test it from other computers from each networks, not the pfSense host itself.

Im not testing from pfsense host. Its reachable from pfsense host.No problems hitting it from within private network whatsoever.

Failing case scenario:other computers with different ip(from work). Outside network –> my home public ip

Chromatics

I think it's good to check and find out where the packets are not flowing.
Use tcpdump from shell from each computers to see what's going on.

Suggestion:
from the pfSense host,
tcpdump -n -i xn0 port 80
tcpdump -n -i xn2 port 80 and host 10.1.10.102

from the webserver,
tcpdump -n -i (Name of the interface to xn2) port 80

And of course, I assume the webserver's default gateway is 10.1.10.1. Am I right?

jauyzed

@Chromatics:

I think it's good to check and find out where the packets are not flowing.
Use tcpdump from shell from each computers to see what's going on.

Suggestion:
from the pfSense host,
tcpdump -n -i xn0 port 80
tcpdump -n -i xn2 port 80 and host 10.1.10.102

from the webserver,
tcpdump -n -i (Name of the interface to xn2) port 80

And of course, I assume the webserver's default gateway is 10.1.10.1. Am I right?

When I ran the commands from the pfSense host,
tcpdump -n -i xn0 port 80

output: 11 packets captured
            492 packets received by filter

tcpdump -n -i xn2 port 80 && host 10.1.10.102

output: 86 packets captured
            3773 packets received by the filter

from the webserver,
tcpdump -n -i eth0 port 80

output: 0 packets captured

I have attached the output of netstat on webserver instance which shows the ports are open and also attached the nat settings and interface settings on pfsense. I have hid my public ip on 2nd attachment

thanks for all the suggestions!


Chromatics

When you were running tcpdump, you could see each packet's logs.

Were you able to see from xn0 with incoming packets with destination as public IP : port 80?
And what about outgoing packets with source as public IP : port 80?

Were you able to see from xn2 with outgoing packets with destination as 10.1.10.102 : port 80?
And what about incoming packets with source as 10.1.10.102 : port 80?

Were you able to see from the interface of webserver with incoming packets with destination as 10.1.10.102 : port 80?
And what about outgoing packets with source as 10.1.10.102 : port 80?

Derelict

Do NOT set a source port on your port forward.

You had to click advanced and ignore this to get where you are right now:

Specify the source port or port range for this rule. This is usually random and almost never equal to the destination port range (and should usually be 'any'). The 'to' field may be left empty if only filtering a single port.

jauyzed

@Derelict:

Do NOT set a source port on your port forward.

You had to click advanced and ignore this to get where you are right now:

Specify the source port or port range for this rule. This is usually random and almost never equal to the destination port range (and should usually be 'any'). The 'to' field may be left empty if only filtering a single port.

This setting did it! Thank you!

jauyzed

@Chromatics:

When you were running tcpdump, you could see each packet's logs.

Were you able to see from xn0 with incoming packets with destination as public IP : port 80?
And what about outgoing packets with source as public IP : port 80?

Were you able to see from xn2 with outgoing packets with destination as 10.1.10.102 : port 80?
And what about incoming packets with source as 10.1.10.102 : port 80?

Were you able to see from the interface of webserver with incoming packets with destination as 10.1.10.102 : port 80?
And what about outgoing packets with source as 10.1.10.102 : port 80?

Thank you for the all responses and suggestions! Helped me debug network