• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Issue with pfSense config in Azure

Scheduled Pinned Locked Moved Firewalling
1 Posts 1 Posters 955 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    Coldaddy
    last edited by Jul 3, 2016, 10:56 PM

    Requesting configuration help for a pfSense setup in Azure…

    Setup:
    Perimeter Subnet 10.7.0.0/29

    • wgpfsense1 (10.7.0.4)
    • testvm (10.7.0.5)

    Web Subnet 10.7.1.0/24

    • WGWEB1 (10.7.1.4)

    Goal: Have testvm enter 10.7.0.4 in a browser and have the traffic be directed to 10.7.1.4 (standard Port Forward I think). Note that pfsense has a single interface...Azure is handling the routing.

    I have a NAT rule in place:

    If: WAN
    Protocol: TCP/UDP
    Src addr: *
    Src ports: *
    Dest. addr: WAN address
    Dest. ports: 80
    NAT IP: WGWEB1 (alias)
    NAT Ports: 80

    And a FW rule (auto-generated when NAT rule was created):

    Action: Pass
    Proto: TCP/UDP
    Source: *
    Port: *
    Dest: WGWEB1
    Port: 80

    When I try to browse from a server in the perimeter network (10.7.0.5) to http://10.7.0.4 I get back ERR_EMPTY_RESPONSE.

    Packet Capture from browse attempt
    21:10:02.971756 IP 10.7.0.5.49194 > 10.7.0.4.80: tcp 0
    21:10:02.971810 IP 10.7.0.5.49194 > 10.7.1.4.80: tcp 0
    21:10:03.960732 IP 10.7.0.5.49194 > 10.7.0.4.80: tcp 0
    21:10:03.960759 IP 10.7.0.5.49194 > 10.7.1.4.80: tcp 0
    21:10:05.975642 IP 10.7.0.5.49194 > 10.7.0.4.80: tcp 0
    21:10:05.975672 IP 10.7.0.5.49194 > 10.7.1.4.80: tcp 0

    Firewall log from same browse attempt
    Act  Time  If  Source  Destination  Proto
    pass/1467520595, Jul 3 04:46:36, WAN, 10.7.0.5:49307, 10.7.1.10:80, TCP:SEC
    pass/1467520595, Jul 3 20:20:55, WAN, 10.7.0.5:49186, 10.7.1.4:80, TCP:SEC
    pass/1467520595, Jul 3 20:21:34, WAN, 10.7.0.5:49192, 10.7.1.4:80, TCP:SEC
    pass/1467520595, Jul 3 21:08:51, WAN, 10.7.0.5:49193, 10.7.1.4:80, TCP:SEC
    pass/1467520595, Jul 3 21:10:03, WAN, 10.7.0.5:49194, 10.7.1.4:80, TCP:SEC

    Wireshark trace from the web server traffic should be redirected to (10.7.1.4) shows no packets with tcp.port eq 80 and ip.src==10.7.0.5

    Its like the packets aren't getting to the web server at all, even though the firewall rule allows and the NAT is set up.

    If, from 10.7.0.5 I open a browser and type in the web server address directly (10.7.1.4) I get the site returned fine. This proves to me that the Azure fabric is routing the packets from the 10.7.0.0/29 to the 10.7.1.0/24 subnet.

    Questions: Did I miss anything in the NAT setup? Shouldn't the pfSense appliance send packets to its default gateway not on its own subnet (Gateway IPv4 10.7.0.1)? Is there other diagnostic data I can look at or provide?

    Thanks in advance,
    Steve

    1 Reply Last reply Reply Quote 0
    1 out of 1
    • First post
      1/1
      Last post
    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
      This community forum collects and processes your personal information.
      consent.not_received