NAT port forward - What am I doing wrong?

chpalmer

Firewall on webserver?

Grimson

@shlomia:

Yes, Hosts file on my client system, I just use this instead of changing the DNS of my hostname.

Then you are still testing from LAN, because the request is entering pfSense from the LAN interface.

KOM

As Grimson said, you're still testing from LAN.  Use your phone (not on Wifi!) or someone else's PC not on your network to test.  For virtual IP, you're using an IP Alias type of VIP?

shlomia

I'm using virtual IP alias.
and for the Hosts testing, I'm testing from a PC outside of my network..

KOM

You mentioned squid before.  Are you using it as a reverse proxy?

shlomia

@KOM:

You mentioned squid before.  Are you using it as a reverse proxy?

I'm using it as transparent proxy, I just use it to redirect my websites to the internal webserver IP..
I have to mention that when I put my webserver IP as NAT IP, it doesnt work. when I put my squid IP as NAT IP, it works..

KOM

Use pfSense's traffic sniffer on WAN and LAN to see if the requests are hitting your WAN, and to see if they're going out to LAN.  Does your web server see any incoming traffic from your tests in its log?

shlomia

I have done some tests, so as I said.
when I create the following rule:

Source Address - *
Source Ports - *
Destination Address - ExternalIP(62.0.67.1)
Destination Ports - 80
NAT IP - SquidIP(192.168.30.4)
NAT Port - 1080 ( Squid Port )

It seems to work, when only when squid is the middle man.
My squid is set as transparent proxy and just redirects to my webserver which is in the same lan. ( everything is in the same lan )

Now, When I don't want to use squid, I create  the following rule:
Source Address - *
Source Ports - *
Destination Address - ExternalIP(62.0.67.1)
Destination Ports - 80
NAT IP - Web Server IP(192.168.30.5)
NAT Port - 80

It doesn't work, I get timed out.

Now, I tried to Capture Packets when pfsense:
WAN -
11:25:27.363309 IP 212.199.90.10.36976 > 62.0.67.1.80: tcp 0
11:25:30.362450 IP 212.199.90.10.36976 > 62.0.67.1.80: tcp 0
11:25:36.362645 IP 212.199.90.10.36976 > 62.0.67.1.80: tcp 0
11:25:48.374788 IP 212.199.90.10.36990 > 62.0.67.1.80: tcp 0
11:25:48.625828 IP 212.199.90.10.36994 > 62.0.67.1.80: tcp 0

LAN -
11:28:37.402013 IP 212.199.90.10.37258 > 192.168.30.5.80: tcp 0
11:28:40.404922 IP 212.199.90.10.37258 > 192.168.30.5.80: tcp 0
11:28:46.405093 IP 212.199.90.10.37258 > 192.168.30.5.80: tcp 0
11:28:58.416887 IP 212.199.90.10.37270 > 192.168.30.5.80: tcp 0
11:28:58.667985 IP 212.199.90.10.37272 > 192.168.30.5.80: tcp 0
11:29:01.415594 IP 212.199.90.10.37270 > 192.168.30.5.80: tcp 0
11:29:01.667845 IP 212.199.90.10.37272 > 192.168.30.5.80: tcp 0
11:29:07.413293 IP 212.199.90.10.37270 > 192.168.30.5.80: tcp 0
11:29:07.666085 IP 212.199.90.10.37272 > 192.168.30.5.80: tcp 0

I don't get any packets with wireshark on the webserver as well.
Windows firewall is disabled on the webserver and there is no any firewall between..

shlomia

Here is an update:

https://i.imgur.com/pezs341.png

This are the result from wireshark, I created a new web server, NAT'd to him, I do get some packets on wireshark but I still get time out in my browser.

KOM

You know you can embed images here directly eh?

I'm not sure why you keep mentioning squid.  Squid is a web proxy for LAN users going out.  It can also be used as a reverse proxy, but single guy at home with one web server doesn't really fall into the typical use case for reverse proxy.  I wonder if that may be the root of your problem.  A straight port 80/tcp port-forward is usually the easiest thing in the world.