Azure simple Port Forwarding
-
Hi, all
I am new to pfSense. Cisco ASA background is strong. I need to do a simple port forward and cannot get it to work.
I set up a pfSense appliance in Azure from the Azure Marketplace. I added a second NIC.
[Azure sets up a Public IP address which is not directly assigned to the first NIC. Azure creates an IP address and then
NATs it to the private IP address of the first NIC.]
So I have Public IP address > Private IP address > [pfSense] > 2nd NIC
where the second NIC is on either the same subnet as the WAN NIC or on a different subnet.
The port forward for this is 3389. I am logging a TCP SYN, but nothing after that. In a packet capture, I see the incoming
RDP requests and nothing going out.
I am using the instructions from the pfSense help pages and various blogs.
Is there anyone with Azure experience who can shed light on this? -
Do you have WAN set to ignore private networks, which is the default? Your NAT won't accept traffic if the Block Private networks option is enabled, which is what sounds like might be happening in your case.
-
I have tried this setting both ways. The Azure appliance defaults to not block private IP's. I have bogons only blocked.
-
So you did a packet capture of the WAN interface??
Did you also do a packet capture on the LAN interface?
-
Honestly, I would not expect anything to traverse a firewall to another port without a complete TCP handshake. So no, I had not tried a packet capture on the LAN interface. I did just now, and nothing showed up.
-
I now have a SYN packet passing through the NAT rule to the LAN NIC. I am NATting to a Windows VM in Azure. I added Wireshark to that VM. The SYN packet never reaches the VM.
Also, I can ping the LAN NIC from the VM (I added a firewall rule), and I can ping the VM from the pfSense server using an SSH connection.
On the Azure VM network security group, I have opened access to anything from the Azure local vnet.
On the Azure VM, I have disabled the Windows Firewall.
On the pfSense LAN NIC, I have added a firewall rule to allow all TCP traffic.So it looks like the packets to be NATted are being blocked on the way out of the LAN NIC.
Any ideas? anyone?