Just getting started question
-
This might be a NAT question but I'm not sure I have everything set up right. I'm VERY new to pfSense and just set up a lab in VMWare.
I have 3 VMs
- pfSense with 2 NICS. and DHCP running pool (192.138.2.10-200)
WAN (em0) DHCP pulling from my LAN -getting192.168.1.68/24
LAN (em1) Static 192.168.2.1/24 (on VMWare LanSegment "Lab" - Windows DHCP from pfSense 192.168.2.50 running IIS on "Lab"
- Kali DHCP from pfSense 192.168.2.51 running SSH server on "Lab"
Windows and Kali can ping the real world. I can access IIS from Kali and SSH Kali from windows.
I wanted to open SSH to my Kali and 80 to IIS from my pfSense WAN to LAN so I created 2 NAT rules
-
NAT for Win7 Website
Interface: WAN
Protocol: TCP
Destination: LAN Address
Dest port from HTTP to HTTP
Redirect IP 192.168.2.50
Redirect port HTTP
-- and "Add associated filter rule" which I think means make the Firewall rule automatically. -
SSH to Kali
Interface: WAN
Protocol: TCP
Destination: LAN Address
Dest port from SSH to SSH
Redirect IP 192.168.2.51
Redirect port SSH
& "Add associated filter rule"
The 2 automatic firewall rules look right
Pass, WAN, TCP, any, 192.168.2.50 HTTP HTTP
Pass, WAN, TCP, any, 192.168.2.51 22, 22From the WAN interface (my home network) I can not access IIS on 192.168.1.68 or SSH on 192.168.1.68
pfSense Test port from WAN to 192.168.2.51 22 fails.
The firewall system log is confusing. I don't see anything from my desktop 192.168.1.36 (the machine that has VMWare running).
I do keep seeing over and over WAN 192.168.1.99:##### which is the last address of my home network LAN DCHP pool??Did I miss something? Is there some logging I'm missing or need to turn on?
Thanks for any input or feedback.
Mike
- pfSense with 2 NICS. and DHCP running pool (192.138.2.10-200)
-
The destination on the port forwards should be the WAN address (or a VIP in WAN).
You will then access the internal resources using the pfSense WAN IP from the WAN side subnet.
Steve
-
@stephenw10 That makes sense. But it still does not work. Just to be safe, I built an entire new lab on my work machine. Same thing.
I turned on logging for the firewall rule that was automatically generated by this NAT rule. I then tried to access the Linux box over SSH the connection times out but there are no logs relating to this event.
I found this troubleshooting guide:
https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat-port-forwards.htmltried enabling NAT reflection. No change.
Checked the states - none listed.
Did a packet capture and when sourcing the WAN interface and port 22, got no results. To be thorough I watched the LAN side and tried again. Nothing.
So I did a tcpdump, tried again but don't see anything when I filter on port 22. I'm using putty to ssh from my host. I'm at a loss, but it looks more like an issue with VMWare.I'm going to build a mini PC and try this with physical hardware.
Mike
-
@mgideon said in Just getting started question:
DHCP pulling from my LAN -getting192.168.1.68/24
So, implicity, I say : you have also an upstream ISP router. The one from where pfSense is pulling the RFC1918 IP 192.168.1.68/24 'WAN' IP. Pretty sure that your ISP doesn't give you such an IP.
What about the NAT rules in that upstream router ?
@mgideon said in Just getting started question:
80 to IIS
Not related but : port 80 web serving exists for local debugging at best.
The Internet shifted to port 443. Also known as 'https'.
You'll see : in the nearby future browsers start to warn and refuse port 80 (http) requests.
..... and then the yell that the cert proposed by the web server is signed by a known guy .... admins keep on learning forever ... -
If you don't see traffic arriving on the WAN to port 22 in a pcap then it's never going to work. That means either the client is not sending it or it's being filtered in the hypervisor as you suggested.
Steve
-
@gertjan This is a all in VMWare on my home PC. I do have a DHCP server at my house. This is where the 192.168.1.68 for my WAN interface is coming from.
Thanks for the information on SSL/TSL. I picked 80 because it is just a internal VM and it was easy to setup by installing IIS on one of those VMs.