SG3100 Single WAN NAT Issues.
-
Hi Folks,
It is more than likely a lack of knowledge. I am trying to setup a bunch of NAT rules. The do not appear to be working. I don't think it is the same as the dual WAN issue.
Single WAN port (DHCP from ISP)
Two VLANS are configured
LAN - 172.30.30.1/24 (Wired & Wireless) WiFiGuest - 172.30.32.1/24
I have over 20 rules under Firewall - Rules
So a simple rule is my Telnet rule
Source *
Port 23
Destination 172.30.30.40
Port 23
Gateway *
Queue nine
Description Special-TelnetThere may be some other settings that I have missed. Please tell me what I'm missing or how to fix it.. I'm very new to the Netgate/pfSense world.. I appreciate the help toubleshooting
Will
-
@wc2l Source port should be any, it's a random port.
-
Isn't that what * means?
I forgot to mention that I am running 21.2 ReleaseWill
-
Source *
Port 23 <<<< Source port should be any
Destination 172.30.30.40
Port 23
Gateway *Are you trying to reach this server from WAN, or from WIFIGuest?
If you are coming from WAN, you should use the port forward tab.
If you are coming from another VLAN, you don't need NAT, just a firewall rule. -
@mcury
Thank you. I will try that shortly.. Edit the rule didn't seem to work. Mostly from the WAN (occasionally from the other VLAN). The server has a DDNS address that should get resolved.Do you use DNS Forwarder or Resolver? Any setting suggestions?
TNX Will
-
From the WAN, just create a port forward, and this will generate a firewall rule automatically.
From another VLAN, just create a firewall rule allowing VLANX to reach the LAN server port 23, no NAT or port forward required.The source port is random, so, source port should be any.
I use DNS Resolver, with the setting DNS Query Forwarding disabled.
I like this way because I'm querying the root servers directly, and my queries are being cached by DNS resolver.One important thing to say is that leaving the port 23 opened is not a good idea, I would suggest to use SSH, with a key, disabling passwords.
Or, even better, use a VPN. -
@mcury
When I set it to any, it stopped all together. More home work ahead -
@wc2l said in SG3100 Single WAN NAT Issues.:
@mcury
When I set it to any, it stopped all together. More home work aheadCan you elaborate on it?
-
@mcury My whole internet stopped..
Support told me to also get off of 21.02. I had sent an email.
Maybe I should start by going through the documentation again..
See what I missed :-( -
@wc2l hm, you probably hit a bug that is happening in the sg-3100 with the 21.02 version..
More info:
https://forum.netgate.com/topic/160959/21-02-sudden-lockup/16?_=1614207358882
https://reviews.freebsd.org/D28821
https://redmine.pfsense.org/issues/11444
https://forum.netgate.com/topic/160969/upgrade-to-21-02-release-borked-on-sg-3100The 'any' in source port wouldn't cause an outage.
There is a workaround that minimizes the chance of hitting the bug, but it does not eliminate the chance if you don't want to downgrade back to 2.4.5p1
-
@mcury
I appreciate your help!! You got me on the right track!! I was able to find a couple links on what I did wrong.. It was very close!! I have the most important rules working.To keep the network more secure, should I also include pfBlocker? I see that is similar to the blacklist. I have the last 4 firewall log entries up.. neat to see what hits you router!
Now I have to figure out why I can't get to things locally via the DDNS names (hair pinning) . I also can't get to the WEB server from one PC to another here in the house. I have created a back up of my configuration.. I will also keep this memstick version as a backup..
TNX Will
-
@wc2l said in SG3100 Single WAN NAT Issues.:
To keep the network more secure, should I also include pfBlocker? I see that is similar to the blacklist. I have the last 4 firewall log entries up.. neat to see what hits you router!
Sure, but not with 21.02, at least not yet.
pfBlockerNG will force firewall rules reload, and this will increase by a lot the chances to trigger the bug mentioned earlier.. If I were you, I wouldn't enable it at this moment.
Wait a little bit, Netgate is working on it.Now I have to figure out why I can't get to things locally via the DDNS names (hair pinning) . I also can't get to the WEB server from one PC to another here in the house. I have created a back up of my configuration.. I will also keep this memstick version as a backup..
You could use split DNS, in DNS Resolver, create a host override for the DDNS, and make sure people are using pfsense's DNS server.
I also can't get to the WEB server from one PC to another here in the house.
Is the WEB server in the same subnet as the this PC?
If not, you would need to create a firewall rule to allow this access, usually on port 80 or 443.I have created a back up of my configuration.. I will also keep this memstick version as a backup..
Always a good idea
-
@mcury This work stuff keeps getting in the way of more fun stuff. I would rather learn more of this!!
They had me back rev to 2.4.5-RELEASE-p1. I think there may have been an issue with my setup as well. But it seems strange that I got it all up and running pretty quickly!
I honestly don't understand the split DNS. I have seen it mentioned.
So it for me, I want the WAN/LAN/GuestWiFi be able to resolve the DDNS name of my server. I don't care if it is telnet/http/https and etc. There is also some other stuff that I would like routed if using the IP or DDNS name.
I have like 2-4 IP addresses with different ports that get addressed.
-
Split DNS, let me try to explain it to you, I have never been a good person to explain things, but let me try..
Let's assume that:
Your computer is using the pfsense's DNS server, or any other DNS server that you manage there inside your network.There, in the DNS server, you create a host override like this for an example:
www.example.com - 172.30.30.40So, computers that are using this DNS server, when they go to www.example.com, they will get the 172.30.30.40 IP address, which is an inside IP address inside your network
Users in the Internet will use their own DNS, like google for an example.
This Google DNS will still provide them the DDNS IP address, in this case your WAN, so they can reach your port forward and reach the WEB server, or any other server you configured.INTERNET -> Public DNS - Resolve to your DDNS - Go to your WAN IP.
Your subnets -> Local DNS - Resolve to your local IP - Go directly to the server.
-
@mcury I think I get it..
So Services / DNS Resolver / Access Lists
Access name: www.example.com
Action Allow
Description Example
Neworks 172.25.25.1/24Not sure how I would be able to tell some services to go to one location and other services to another location.
-
Services > DNS Resolver > Host Overrides (at the bottom).
Not in access lists.@wc2l said in SG3100 Single WAN NAT Issues.:
Not sure how I would be able to tell some services to go to one location and other services to another location.
Can you elaborate about it ?
-
@mcury Of course I can...
172.30.30.40 - 23, 80, 88, 443, 13064, 11111.
172.30.30.30 - 223, 18080, 5095, 13010
17230.30.50 - 13064,I think that explains it ;-) There are some more.. That was just some examples of what is happening
-
@wc2l said in SG3100 Single WAN NAT Issues.:
172.30.30.40 - 23, 80, 88, 443, 13064, 11111.
172.30.30.30 - 223, 18080, 5095, 13010
17230.30.50 - 13064,Well, if I understood correctly, you have a few services running..
Speaking about port 23 in host 172.30.30.40 in this example:
If you set a port forward like this:
Note: Don't recommend you to have ports opened to the internet due to security concerns.Source * Port 23 <<<< Source port should be any Destination 172.30.30.40 Port 23
Users would telnet to your DDNS name, reach your WAN on port 23, and be forwarded to your server 172.30.30.40 on port 23 (Remember that source port should be any).
The same applies to all your servers mentioned in your last post.
One thing to note here is that you have two servers running the same port 13064.
In this case, you would have to, or change the port forward from outside, let's say to 13065.
Or change the port that the service is running and mirror that on the port forward. -
@mcury The twin port #s was a mistake.. I was just making a quick example. So if I switch the WAN Source port from any to a defined port will work? I still need to add the DDNS info to the Resolver portion so things work internally and externally
-
@wc2l said in SG3100 Single WAN NAT Issues.:
So if I switch the WAN Source port from any to a defined port will work? I still need to add the DDNS info to the Resolver portion so things work internally and externally
The source port should always be 'any', only in a very rare cases that you can define a source port.
Your OS is responsible for generating a random source port every time a connection starts.
What doesn't change is the destination port.Remember, source port is generated randomly, so you can't guess what's going to be.
-
@mcury I know you said that in the beginning.. So all of my rules have been applied.
So if I define "ddns.example.com" in the DNS Resolver Access List
Port 23 will always go to 172.30.30.40
Port 223 will always go to 172.30.30.30
Using all of our examples above -
@wc2l said in SG3100 Single WAN NAT Issues.:
So if I define "ddns.example.com" in the DNS Resolver Access List
Port 23 will always go to 172.30.30.40
Port 223 will always go to 172.30.30.30DNS Resolver Access List? No, that is not what I said.. read it again, DNS Resolver > Host override at the bottom of the page...
Telnet uses port 23, if you are coming from the Internet, and you telnet to your ddns.example.com, the port forward will forward that connection to 172.30.30.40 as defined in the port forward configuration.
You can telnet to another port, like 223, telnet ddns.example.com:223, and the same will happen, just create another port forward but now using port 223, and forward that to 172.30.30.30
-
@mcury I have the port/IP rules applied.. I missed the host override!
So can I assign more than one IP address to an ddns.example.com?
on the LAN if I assign ddns.example.com to 172.30.30.40, the ports assigned to 172.30.30.50 would be unknown? Just checking -
DDNS is public, how many public IPs do you have?
Do you know that 172.16.0.0/12 is not reachable through the Internet?
So, the DDNS will have your public IP address, which is your Internet IP address.The connections will reach your Internet IP address, and then the port forward will forward the connection to 172.30.30.40, or 172.30.30.50.
Port forward1:
Source any
Source port any
Destination Public IP (Your WAN IP, the IP your ISP gives to you, which is the DDNS IP).
Destination port 23
Forward to 172.30.30.40 on port 23 or any other port that telnet may be running if you changed it.Port forward2:
Source any
Source port any
Destination Public IP (Your WAN IP, the IP your ISP gives to you, which is the DDNS IP).
Destination port 223
Forward to 172.30.30.50 on port 223. -
@mcury My Public IP address is issued from the ISP. It is a 64.248.xxx.xx
example.com is hosted by WEB Hosting company
ddns.example.com is at my home hosting a amateur radio hobby server that people connect to from around the world.
I also operate my station remotely (hardware control). I also have friends ask to operate the station.My LAN network is similar to 172.30.30.1/24 my guest WiFi is 172.30.32.1/24. I know these are none routable IP address. I wanted to be off the beaten path.
I have the rules setup the way that you have described to a T!! I know from the internet (Public), the port forwarding will work perfectly!
You said that if I place ddns.example.com in the "Host overide" people will be able to get to the services on 175.30.30.40, but what happens if I try to get to ddns.example.com:18080 on 172.30.30.30
-
@wc2l said in SG3100 Single WAN NAT Issues.:
You said that if I place ddns.example.com in the "Host overide" people will be able to get to the services on 175.30.30.40, but what happens if I try to get to ddns.example.com:18080 on 172.30.30.30
The "Host override", is part of the Split DNS.
It's just for devices inside your network, to resolve the internal IP address directly.
Destination ddns.example.com at port 18080 will resolve to 172.30.30.30 port 18080, no need to port forward or anything.People on the Internet, won't use the "Host override", because they are using other DNS server.
Destination ddns.example.com at port 18080 will resolve to 64.248.xxx.xx port 18080.
Your Pfsense will receive that packet on port 18080, and then the port forward will work, forwarding the traffic to your internal server. -
@mcury I was just told that all I had to do is "Enable NAT Reflection for 1:1 NAT and Enable automatic outbound NAT for Reflection are set"
I did this and now it works! All of the other stuff appears to be working. Now I can look at pfBlocker at some point. Let me see how things go for a bit. I
-
This is considered a "hack", tried to show you the recommended way to do it.. But somehow I failed to explain, or you fail to understand, not sure what happened.
But hey, if it's working and you are happy, who am I to say otherwise.
https://docs.netgate.com/pfsense/en/latest/nat/reflection.html
NAT Reflection Caveats NAT reflection is a hack as it loops traffic through the firewall when it is not necessary. Because of the limited options pf allows for accommodating these scenarios, there are some limitations in the pfSense NAT + Proxy reflection implementation. Port ranges larger than 500 ports do not have NAT reflection enabled in NAT + Proxy mode, and that mode is also effectively limited to only working with TCP. The other modes require additional NAT to happen if the clients and servers are connected to the same interface of the firewall. This extra NAT hides the source address of the client, making the traffic appear to originate from the firewall instead, so that the connection can be properly established. Split DNS is the best means of accommodating large port ranges and 1:1 NAT. Maintaining a split DNS infrastructure is required by many commercial firewalls even, and typically isnโt a problem.
Split DNS A preferable alternative to NAT reflection is deploying a split DNS infrastructure. Split DNS refers to a DNS configuration where, for a given hostname, public Internet DNS resolves to public IP address, and DNS on the internal network resolves to the internal, private IP address. The means of accommodating this will vary depending on the specifics of an organizationโs DNS infrastructure, but the end result is the same. NAT reflection is not necessary because hostnames resolve to the private IP addresses inside the network and clients can reach the servers directly. Split DNS allows servers to see the true client IP address, and connections between servers and clients in the same subnet will go directly, rather than unnecessarily involving the firewall. The only case that does not work properly with split DNS is when the external and internal port numbers are different. With split DNS, the port number has to be the same in both places.
-
@mcury OK well interestingly, the Guest WiFi may have stopped working. I need to figure out what caused it..
I can go back and uncheck it.. I will set the host over-ride. I'm a newbie and learning slowly.. If there was a way we could do this together would save some time ;-)
-
@wc2l said in SG3100 Single WAN NAT Issues.:
@mcury OK well interestingly, the Guest WiFi may have stopped working. I need to figure out what caused it..
I can go back and uncheck it.. I will set the host over-ride. I'm a newbie and learning slowly.. If there was a way we could do this together would save some time ;-)
Sure, I like to help.. why not? Also, my life has been destroyed by this pandemic, so I'm the one who is being helped by you.
What are your doubts?
-
@mcury lack of my skills.. This is a new world to me ;-)
OK, It appears that the guest WiFi VLAN has stopped working. My LAN WiFi is working. I didn't think that anything I did would have affected the Guest WiFi (using my phone as a test unit).
Not going to last too much tonight. I'm early riser. If you want, you can always email WC2L at YCCC dot ORG. I'm guessing most of this a couple of check marks somewhere. Will
-
@mcury Since we setup the split DNS, is there something I need to do to get the guest WiFi to work again?? I can't seem to get to the Internet, ddns.example.com or pretty much anything.. It is handing out DHCP from the SG3100. I'm guessing it is a routing issue. Just don't know how to address it.
-
Show some screenshots of your config.
And no, split DNS wouldn't cause internet outage.
-
@mcury
Not sure what screens you want to see.
-
@wc2l Can users in this guest WiFi ping 8.8.8.8?
-
@mcury NOPE
-
@wc2l Are these users getting IP address from the DHCP?
-
@mcury Yes.. I just connected a Surface to the Guest WiFi..
It got the expected IP address -
@wc2l Ok, it was working before? Problem started with the host override inside DNS Resolver?
Try to remove the host override and try again. -
@mcury no change
Both ways shows that DNS servers are not responding
DNS_PROBE_FINISHED_NO_INTERNET