NATting with Manual Outbound NAT not working

mystic_sage

Hello all, I have the following pfsense with these IP configured

- WAN: 51.x.x.x
- LAN: 192.168.13.1

What I am trying to do is to just NAT ports 80/443 as follows:

51.x.x.x:80 -> 192.168.13.72:10080
51.x.x.x:443 -> 192.168.13.72:10080

Here the configuration I have done until now in Port Forward section:

The pfsense is using Manual Outbound NAT (with Automatic outbound NAT in my test enviroment all was working as expected), but as far as I can understand, the needed rules are there:

Here the firewall rules that are automatically generated from the Port Forward rules:

The problem is, when I go to 51.x.x.x:80 or 51.x.x.x:443 it does not seems to work (I have a ERR_CONNECTION_TIMED_OUT on my browser), so I am missing something for sure.

Also, I do confirm that there is a service listening on http://192.168.13.72:10080/

As side node, here the Manual Outbound NAT infos:

I have not clue at the moment, any help is very welcome, thanks!!!

viragomann

Ensure that 192.168.13.72 has the pfSense LAN address set as default gateway.

Everything else seems to be fine on pfSense. So either there is nothing arriving on your WAN or the LAN device blocks the access from outside.

No idea, what your first outbound NAT rule on LAN interface is good for, however it shouln't have any impact in this scenario.

mystic_sage

@viragomann said in NATting with Manual Outbound NAT not working:

Ensure that 192.168.13.72 has the pfSense LAN address set as default gateway.

Yup:

[root@xxx ~]# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         51.y.y.y     0.0.0.0         UG        0 0          0 eth0
0.0.0.0         192.168.13.1    0.0.0.0         UG        0 0          0 eth1

[root@frontend-prod ~]# ip a
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    inet 51.z.z.z/32 brd 51.68.94.178 scope global noprefixroute dynamic eth0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    inet 192.168.13.72/24 brd 192.168.13.255 scope global noprefixroute eth1

Everything else seems to be fine on pfSense. So either there is nothing arriving on your WAN or the LAN device blocks the access from outside.

I have found that the WAN interface is in DHCP, while in my test enviroment has a static IP, could be this the issue?

No idea, what your first outbound NAT rule on LAN interface is good for, however it shouln't have any impact in this scenario.

I have no idea as well, should be for the OpenVPN clientst, but this is a configurations I have inherited, and, of course, no documentation...

viragomann

The machine has two default gateways? And one interface in the WAN and one in the LAN?
That won't work well at all.

mystic_sage

So you suggest to remove the eth0, correct?
Also, what about the WAN interface in DHCP? Does it matter at all?
Thanks!

viragomann

@mystic_sage said in NATting with Manual Outbound NAT not working:

So you suggest to remove the eth0, correct?

At least the gateway.
No idea, why this machine has an interface in the WAN. But if you only aim to permit access from the internet through pfSense you don't need it and so you can delete it.

@mystic_sage said in NATting with Manual Outbound NAT not working:

Also, what about the WAN interface in DHCP? Does it matter at all?

That doesn't matter. If it's in DHCP mode and you have its IP you can access it.

mystic_sage

You are 100% correct sir! That was the problem indeed, thanks for pointing that out!