New User Help! Azure Pfsense, I Can't See Website
-
Bump
-
Hmm, well if you are hitting the redirect to port 443 then your traffic is not matching the port forward.
Check the state table when you try to connect to the virtual IP. What states are open to that? If the source correct?
You should probably not have a gateway on LAN. Doing so will cause pfSense to NAT the traffic outbound there to the LAN IP. If you have to have that, because it's dhcp, switch to manual outbound NAT mode and remove the NAT rules on LAN.
Steve
-
@stephenw10
Thank you for the replyStrange, it is showing the traffic I expected on the states table minus the redirect. I was expecting a destination of 192.168.0.15 then traffic gets redirected to 192.168.2.4. In the states table traffic is coming in from my public IP x.x.x.x to destination 192.168.0.15 and it is not getting redirected to 192.168.2.4. It shows to be connected on port 80 in the states table. I replaced the three octets with x for privacy on the public IP:
States:
Also, I changed the LAN interface from DHCP to static, added the IP 192.168.1.4, and removed the gateway.
-
Ah, it's probably not matching because your port forward rule is set to catch traffic with destination 52.x.x.x. But by the time it reaches pfSense it has been forwarded by Azure to 192.168.0.15 so that needs to be the destination in the pfSense rule.
Steve
-
It is now redirecting correctly, 192.168.2.4 :80 (192.168.0.15) <--(Original Destination), but I am not getting any traffic through:
Here are my two rules to permit traffic on port 80 in Pfsense:
Here are my Inbound Rules in Azure, same Network Security Group, different NICs (I double checked this):
-
Local firewall on the server blocking it? There are zero bytes coming back there.
Steve
-
I added an Inbound rule to the firewall but it still didn't allow me to see the website.
I tried removing the local firewall completely, but I was unable to see the site. I removed the Public IP from the Pfsense NIC associated to IP 192.168.0.15 and placed it directly on the Website NIC in Azure192.168.2.4 and turned the firewall back on and was able to see the site but it is not going through Pfsense anymore :(
I am removing the association and putting it public IP back on the Pfsesense NIC IP with 192.168.0.15
Here are my firewall rules on Pfsesense and Azure:
Here are my two rules to permit traffic on port 80 in Pfsense WAN interface ( I have not added any rules to the LAN interface):Here are my Inbound Rules in Azure, same Network Security Group, for all NICs (I double checked this):
-
Is the server using the pfSense LAN as it's default gateway? Or being routed there by Azure?
Without that the server may be replying directly and you get out of state TCP blocks. (asymmetric routing)
Steve
-
@stephenw10
I don't think it is. Is the best way to do that by changing the NIC adapter settings or should I make a static route in Azure?
-
Better to route it in Azure otherwise you have to add that to all VMs there. It;s unclear if you actually have two subnets there though. It looks like you might just be using "Azure Network Space: 192.168.0.0/22". That could make the routing difficult, you might have to static route on the server.
Steve
-
@stephenw10
I made three subnets out of a possible four from the address space 192.168.1.0/22.
192.168.0.x/24
192.168.1.x/24
192.168.2.x/24
I felt that it might be a good idea so I can later add a static route if necessary :)I tried adding a route to Azure: Address Prefix: 192.168.0.0/24 Next Hop: 192.168.1.4 Associated Subnet: 192.168.2.0/24, but I had no luck
I added static route in cmd route add -p 192.168.0.0 MASK 255.255.255.0 192.168.1.4, but still nothing :(
I even tried it after killing the session states
-
The route you need to add is 0.0.0.0/0 via 192.168.1.4. That will allow the server to route back to any external client via pfSense.
But you need to apply that to only devices in 192.168.1.0/24 and you might not be able to do that in Azure unless you really have separate subnets.
Steve
-
I went ahead and tried it anyway, it being add the VM to the 192.168.1.0/24 subnet. I made the VM IP 192.168.1.5 and tried creating a static route via cmd for 0.0.0.0 MASK 0.0.0.0 192.168.1.4. It didn't seem to work. I tried it in Azure as a static route but I found that Azure can only route between different subnets.
Sorry, I am so confused :( ??? Why does the LAN interface subnet need to contain the website VM? Azure will not let me route through that 192.168.1.4 IP if my VM is in the same subnet (192.168.1.5)
-
Replies from the server must go back through pfSense. Otherwise the firewall will only see part of the TCP conversation and will block out of state packets. Check the firewall log.
The only other way to do it is to NAT the traffic as it leaves LAN so the server replies back to that directly as it's in the same subnet.
Steve
-
@stephenw10
Holy Moley! That worked! You are the best, thank you!!! Switching IPs to the same subnet as the LAN then creating route 0.0.0.0/0 next hop 192.168.1.4 to subnet 192.168.1.0/24 in Azure worked like a charm!Thanks again! :)
-
No worries.
