NAT on Local side

KOM

It sounds like you're doing it right. Here is a guide for how to redirect DNS to pfSense. Different ports & protocols, but the basics still apply.

https://docs.netgate.com/pfsense/en/latest/dns/redirecting-all-dns-requests-to-pfsense.html

Test it with a packet capture running and see what's going in and going out of pfSense LAN interface.

meluvalli

:( Ok. Well, That's actually the guide I based it off to set it up originally. I even have Nat Reflection Disabled on it like the guide says.

I will try and look packet capturing, but I'm not sure that will do much because it'll just say my client is going out to the address of the webpage I'm accessing.

KOM

If you don't know what's going on then a packet capture is the only way to find out, otherwise you're just guessing and scratching your head.

Post a screen shot of your LAN rules page.

meluvalli

Here is the packets.

09:30:27.714780 IP 10.40.162.203.53896 > 37.1.220.74.80: tcp 0
09:30:27.869182 IP 37.1.220.74.80 > 10.40.162.203.53896: tcp 0
09:30:27.869606 IP 10.40.162.203.53896 > 37.1.220.74.80: tcp 0
09:30:27.869895 IP 10.40.162.203.53896 > 37.1.220.74.80: tcp 434
09:30:28.031529 IP 37.1.220.74.80 > 10.40.162.203.53896: tcp 0
09:30:28.039424 IP 37.1.220.74.80 > 10.40.162.203.53896: tcp 1460
09:30:28.040341 IP 37.1.220.74.80 > 10.40.162.203.53896: tcp 1460

meluvalli

KOM

Change your Source port from 80 to * in your NAT rule. Source ports are random and dynamically assigned.

meluvalli

Made a little progress with that change... But still no go. Now I can't get out at all on port 80. Even if I go to a command prompt and try and telnet, it's like the port isn't open...

I tried: telnet www.google.com 80

Packets captured:
10:19:42.355820 IP 10.40.162.203.53984 > 172.217.7.228.80: tcp 0
10:19:42.355925 IP 10.40.162.203.53984 > 10.40.162.94.808: tcp 0
10:19:45.368340 IP 10.40.162.203.53984 > 172.217.7.228.80: tcp 0
10:19:45.368417 IP 10.40.162.203.53984 > 10.40.162.94.808: tcp 0
10:19:46.899623 ARP, Request who-has 10.40.162.1 (00:15:5d:a2:5a:07) tell 10.40.162.203, length 46
10:19:46.899654 ARP, Reply 10.40.162.1 is-at 00:15:5d:a2:5a:07, length 28
10:19:51.368321 IP 10.40.162.203.53984 > 172.217.7.228.80: tcp 0
10:19:51.368371 IP 10.40.162.203.53984 > 10.40.162.94.808: tcp 0

I also confirmed, I can telnet into 10.40.162.94 808. This works. So, I know it's something with the route still.

Also, FYI, I verified I can telnet www.google.com 80 from my Proxy machine. That works, so I know the proxy can still get out :)

KOM

The redirect is working according to your capture. Did you change the Source from * back to !10.40.162.94?

meluvalli

Yes. I never changed the Source IP. Only the Source port. Source port is now *. Source IP is still !10.40.162.94

KOM

I don't know what your other system is doing, but the NAT is working as expected. Time to look at it from the proxy's perspective.

meluvalli

Ok. I will play more with it! I really appreciate your help!

I'm confused because if I manually set my proxy on my machine to 10.40.162.94, it works. So I know the proxy is functional.