NAT / Port Forward issue
-
Hi all,
I'm trying to configure pfsense 2.4.5 (but I had the same problems with the latest version 2.5.X). My scenario is :
pfsense having a public static IP and its private network adapter (192.168.0.1) bound to my private LAN where I have a Web server that I don't want to expose directly on the Internet.eth of the private interface in my web server is configured as follow:
DEVICE=eth1
NM_CONTROLLED=no
ONBOOT=yes
TYPE=Ethernet
NAME="System eth1"
BOOTPROTO=none
PREFIX=24
IPADDR=192.168.0.118No firewall is activated:
systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)For what concerning iptables, no rule is set.
FOr the chosen example scenario, I've set the following NAT /Port Forward rule for port 8080:
and for the rules firewall, I have the following configuration:
🔒 Log in to viewSource IP 93.X.X.X in the screenshot is the static public IP of my office router.
When I try to access my web server accessing to public IP of pfsense on 8080 port, it seems that the rule is verified, but no response seems to come back. Below the log for a request that rules intercepted and tried to redirect to internal LAN.
Below you can see the capture (pfsense side):
As said, also from the capture, it seems that for the sent frames, no response is received.
Do you have any idea of what I'm wrong? Any suggestion will be very appreciated.
Thanks to all of you. -
Go you have a "gateway" configured on the device that you are trying to serve from?
-
Hi @chpalmer , thanks for the quick reply.
Do you refer to the machine where web server is running? I've the gateway just for eth0 (where is still configured a static public IP, in order to continue to reach it) , but not for eth1 (LAN). In this case, I've tried to add to the configuration of eth1 (192.168.0.118 - web server) the property
GATEWAY=196.168.0.1 (internal IP of pfsense), but machine became no more reachable also by public side...I don't know why.... -
@mrdeckard So this web server at .118 has full access, can ping out to 8.8.8.8 etc? Your trace shows no response. I would do a capture on LAN when you run your test to make sure the packets are making their way through pfSense to the web server.
-
Hi @kom ,
thank you for the replay.
I confirm that I can ping 8.8.8.8. Soon I will try to make a capture on the webserver side. I'll let you know the outcome of the capture. Thanks again for your help. -
@mrdeckard Make sure you go through that list I linked to. It's always something in that list that turns out to be the problem.
-
Hi @kom,
I checked the troubleshooting procedures written in your link. It seems OK to me, and I have a doubt about the correct configuration of the gateway on the receiving machine (webserver). Can I show you the webserver routing table? I made the capture on the webserver side, and in fact, I find it strange. Below I show the capture made with tcpdump on eth1 (192.168.0.118) of the webserver when calling the public address of pfsense on port 8080.I find the indication TPR Out-Of-Order very strange and then follow the TCP retransmission coming from my browser placed behind the router of my office.
In fact, there never seems to be a response back from the webserver. What do you think? What useful information could I investigate?
Thank you so much.
-
@mrdeckard What does the web server show for:
ip route show -
Hi @kom,
I am very sorry to be able to answer just now. Unfortunately, I've been on the road these days and couldn't get to my test servers.
Before showing you the information on routing tables, I would like to thank you again for your support and your great spirit of help.My web server's routing table is the following:
As you can see, the address of 195.xxx.xxx.xxx is the IP class from the public side. So the public address exposed by the eth0 network interface is 195.xxx.xxx.91, while on eth1, there is the LAN side (192.168.0.118).
If it can be useful, observing the various, I observe a strange thing. For example, if I go to Status -> Gateway, I observe the following:
It appears that the Gateway on the public side is "duplicated" (forgive me for the lack of knowledge of pfsense and possibly some concepts), and one of the duets appears to be in a "Pending" state. I can not understand.
I thank you again!
-
@mrdeckard Looks like your config has a prob;em. What do you have under System - Routing - Gateways?
-
Hi @kom ,
under System - Routing - Gateways I have the following situation:Do you have any advice for me? Do you think it could be something I went wrong during the setup or something that went wrong during the installation?
Thank you so much!
-
@mrdeckard I don't know why you have two identical gateways but that can't be good. The second one appears to be the default created by pfSense. I would delete the first one and then try again.
Edit: I just noticed that the gateway set for your web server seems to be the public IP address of your WAN. It should be your pfSense LAN IP address.
-
Hi @kom,
Excuse me. I realized right now that the real problem was in setting up my gateway on the webserver! So your observation is absolutely correct.
I corrected the Gateway on the webserver, setting it to the router/firewall address (on the private interface of pfsense 192.168.0.1).
Now the system works as expected.I learned that you need to check the troubleshooting guidelines not 5 but 10 times!
Troubleshooting NAT Port ForwardsThank you very much and thanks for your patience and support.
Thanks sincerely.
-
Hi @chpalmer,
You were right; the problem was an incorrect gateway configuration on the webserver.Thanks again!