Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT Portforwarding - tcpdump - Debug (Packet Capture) - difference

    Scheduled Pinned Locked Moved NAT
    10 Posts 2 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H Offline
      HenriH
      last edited by

      Hi,

      have here some trouble with an new pfsense & NAT Port Forwarding.

      tcpdump -n -i vmx5

      11:49:19.550967 IP x.x.190.16.30490 > x.x.190.20.443: Flags ~~, seq 4086420366, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1489436623 ecr 0

      This packet does not arrive in the pfsense Packet Capture trace for this interface, but I can see other traffic here.
      Have switched on the FW rule logging, but there is nothing in the logs. The NAT rule should forward https to a internal box.

      How to debug, which component causes the drop?

      Thanks

      Henri~~

      1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator
        last edited by

        What do you mean doesn't show up in pfsense packet capture.. If it doesnt show up in the pfsense packet capture - then pfsense is not seeing it..  And now you can not forward it.

        Your issues is with your VM setup if you see it on the hosts nic, but pfsense is not seeing it.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

        1 Reply Last reply Reply Quote 0
        • H Offline
          HenriH
          last edited by

          Hi,

          to clarify.

          I performed a ssh to pfsense und entered "8" shell (in the pfsense VM).

          Then I entered:

          root: tcpdump -n -i vmx5 host x.x.x.16
          tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
          listening on vmx5, link-type EN10MB (Ethernet), capture size 65535 bytes
          14:00:08.777371 ARP, Request who-has x.x.x.20 (ff:ff:ff:ff:ff:ff) tell x.x.x.16, length 46
          14:00:08.777393 ARP, Reply x.x.x.20 is-at 00:50:56:98:e9:69, length 28
          14:00:08.778531 IP x.x.x.16.23812 > x.x.x.20.443: Flags ~~, seq 585814211, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1496915945 ecr 0,sackOK,eol], length 0
          14:00:09.977839 IP x.x.x.16.23812 > x.x.x.20.443: Flags ~~, seq 585814211, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1496916945 ecr 0,sackOK,eol], length 0
          14:00:11.179268 IP x.x.x.16.23812 > x.x.x.20.443: Flags ~~, seq 585814211, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1496917945 ecr 0,sackOK,eol], length 0

          I can see the packet in the VM tcpdump trace in pfsense, so it arrives at the VMs ethernet adapter.

          In the packet capture trace on pfsense side (http://fwwan/diag_packet_capture.php), I see a lot of ARP packets BUT NOT the previous tcpdumped packet.

          I would like to understand who dropped the packet in between?

          Thanks

          Henri~~~~~~

          1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator
            last edited by

            ok so that is the wan of pfsense seeing the packet, but your saying you can not see these packets via packet capture in pfsense using the same interface?

            Is this IP public or private that is sending the traffic?

            Do you do the same capture on the interface the traffic is suppose to be forwarded too?

            Have you gone through the troubleshooting doc?
            https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

            1 Reply Last reply Reply Quote 0
            • H Offline
              HenriH
              last edited by

              Ho Johnpoz,

              it's a public IPV4 IP (we own 5) and yes I followed the instructions but no hit.
              I assume that this is my fault, I had not touched a pfsense before (only a couple of other enterprise FW products) but I have no idea what's wrong.
              A NAT forwarding rule/FW rule (for 443) exists, the internal IP and port in the NAT rule are okay, I can ping this address from the pfsense shell
              and receive traffic on the WAN/LAN interface.

              Thanks

              Henri

              1 Reply Last reply Reply Quote 0
              • H Offline
                HenriH
                last edited by

                Hi,

                have to mention that I use the Interface OPT4 / not WAN.
                Is there any different here ?

                Thanks

                Henri

                1 Reply Last reply Reply Quote 0
                • johnpozJ Offline
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  "have to mention that I use the Interface OPT4 / not WAN."

                  Well if your not using wan then you have to make sure your forward is using the correct interface..  Why would you not be using wan for your internet connection?

                  "it's a public IPV4 IP (we own 5) and yes"

                  So is this to 1 of the 5 IPs, you set them up as VIPs?  Or is this to the IP on the actual interface?

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                  1 Reply Last reply Reply Quote 0
                  • H Offline
                    HenriH
                    last edited by

                    In fact we have 5 static public IPs plus 1 dynamic public IP (Backup).
                    Because we need 5 times inbound port 443 (IT consulting company, e.g. for banks, Tecos etc, ask there for a FW change) to reach internal services and our ISP supports no subnet routing, I have to define 6 WAN interfaces. Any other way?

                    Henri

                    1 Reply Last reply Reply Quote 0
                    • H Offline
                      HenriH
                      last edited by

                      have also to mention, for SURE I tcpdumped and caputured the package trace on the OPT4 (for my purpose WAN) port und defined the NAT and FW rules for the interface.
                      But I see no tagging in then pfsense interface definition to define OPT4 is WAN or DMZ or LAN  ….

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ Offline
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        "I have to define 6 WAN interfaces. Any other way?"

                        Huh???  You would normally just put the vips on the interface actually connected.  I don't even think pfsense will let you bring up another interface in the same network??  So at a complete lost to what you have done.

                        If you have been given say 1.2.3.0/29 where gateway is 1.2.3.1 and you can use .2 -.6  You would say give pfsense the .2, then create VIPs on this interface for your .3, .4, etc.  You would then forward your traffic that hits your different vips.. Ie if dest is 1.2.3.6 port 80 forward to 192.168.1.100:80, if hit .5 then 192.168.1.99:80, etc.

                        You can name optX anything you want.  If you gave it a gateway on the interface then it would auto think its a "wan" interface and allow for natting to this interface, etc.  This is how you bring up different wan connections when you have different ISPs etc.

                        But again I am like 99.99% sure pfsense will not let you create another interface and put an IP on it that overlaps another interfaces network..  So what you have done I have no idea.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.