Issue with pfSense config in Azure



  • Requesting configuration help for a pfSense setup in Azure…

    Setup:
    Perimeter Subnet 10.7.0.0/29

    • wgpfsense1 (10.7.0.4)
    • testvm (10.7.0.5)

    Web Subnet 10.7.1.0/24

    • WGWEB1 (10.7.1.4)

    Goal: Have testvm enter 10.7.0.4 in a browser and have the traffic be directed to 10.7.1.4 (standard Port Forward I think). Note that pfsense has a single interface...Azure is handling the routing.

    I have a NAT rule in place:

    If: WAN
    Protocol: TCP/UDP
    Src addr: *
    Src ports: *
    Dest. addr: WAN address
    Dest. ports: 80
    NAT IP: WGWEB1 (alias)
    NAT Ports: 80

    And a FW rule (auto-generated when NAT rule was created):

    Action: Pass
    Proto: TCP/UDP
    Source: *
    Port: *
    Dest: WGWEB1
    Port: 80

    When I try to browse from a server in the perimeter network (10.7.0.5) to http://10.7.0.4 I get back ERR_EMPTY_RESPONSE.

    Packet Capture from browse attempt
    21:10:02.971756 IP 10.7.0.5.49194 > 10.7.0.4.80: tcp 0
    21:10:02.971810 IP 10.7.0.5.49194 > 10.7.1.4.80: tcp 0
    21:10:03.960732 IP 10.7.0.5.49194 > 10.7.0.4.80: tcp 0
    21:10:03.960759 IP 10.7.0.5.49194 > 10.7.1.4.80: tcp 0
    21:10:05.975642 IP 10.7.0.5.49194 > 10.7.0.4.80: tcp 0
    21:10:05.975672 IP 10.7.0.5.49194 > 10.7.1.4.80: tcp 0

    Firewall log from same browse attempt
    Act  Time  If  Source  Destination  Proto
    pass/1467520595, Jul 3 04:46:36, WAN, 10.7.0.5:49307, 10.7.1.10:80, TCP:SEC
    pass/1467520595, Jul 3 20:20:55, WAN, 10.7.0.5:49186, 10.7.1.4:80, TCP:SEC
    pass/1467520595, Jul 3 20:21:34, WAN, 10.7.0.5:49192, 10.7.1.4:80, TCP:SEC
    pass/1467520595, Jul 3 21:08:51, WAN, 10.7.0.5:49193, 10.7.1.4:80, TCP:SEC
    pass/1467520595, Jul 3 21:10:03, WAN, 10.7.0.5:49194, 10.7.1.4:80, TCP:SEC

    Wireshark trace from the web server traffic should be redirected to (10.7.1.4) shows no packets with tcp.port eq 80 and ip.src==10.7.0.5

    Its like the packets aren't getting to the web server at all, even though the firewall rule allows and the NAT is set up.

    If, from 10.7.0.5 I open a browser and type in the web server address directly (10.7.1.4) I get the site returned fine. This proves to me that the Azure fabric is routing the packets from the 10.7.0.0/29 to the 10.7.1.0/24 subnet.

    Questions: Did I miss anything in the NAT setup? Shouldn't the pfSense appliance send packets to its default gateway not on its own subnet (Gateway IPv4 10.7.0.1)? Is there other diagnostic data I can look at or provide?

    Thanks in advance,
    Steve


Log in to reply