Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Issue with pfSense config in Azure

    Firewalling
    1
    1
    852
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      Coldaddy last edited by

      Requesting configuration help for a pfSense setup in Azure…

      Setup:
      Perimeter Subnet 10.7.0.0/29

      • wgpfsense1 (10.7.0.4)
      • testvm (10.7.0.5)

      Web Subnet 10.7.1.0/24

      • WGWEB1 (10.7.1.4)

      Goal: Have testvm enter 10.7.0.4 in a browser and have the traffic be directed to 10.7.1.4 (standard Port Forward I think). Note that pfsense has a single interface...Azure is handling the routing.

      I have a NAT rule in place:

      If: WAN
      Protocol: TCP/UDP
      Src addr: *
      Src ports: *
      Dest. addr: WAN address
      Dest. ports: 80
      NAT IP: WGWEB1 (alias)
      NAT Ports: 80

      And a FW rule (auto-generated when NAT rule was created):

      Action: Pass
      Proto: TCP/UDP
      Source: *
      Port: *
      Dest: WGWEB1
      Port: 80

      When I try to browse from a server in the perimeter network (10.7.0.5) to http://10.7.0.4 I get back ERR_EMPTY_RESPONSE.

      Packet Capture from browse attempt
      21:10:02.971756 IP 10.7.0.5.49194 > 10.7.0.4.80: tcp 0
      21:10:02.971810 IP 10.7.0.5.49194 > 10.7.1.4.80: tcp 0
      21:10:03.960732 IP 10.7.0.5.49194 > 10.7.0.4.80: tcp 0
      21:10:03.960759 IP 10.7.0.5.49194 > 10.7.1.4.80: tcp 0
      21:10:05.975642 IP 10.7.0.5.49194 > 10.7.0.4.80: tcp 0
      21:10:05.975672 IP 10.7.0.5.49194 > 10.7.1.4.80: tcp 0

      Firewall log from same browse attempt
      Act  Time  If  Source  Destination  Proto
      pass/1467520595, Jul 3 04:46:36, WAN, 10.7.0.5:49307, 10.7.1.10:80, TCP:SEC
      pass/1467520595, Jul 3 20:20:55, WAN, 10.7.0.5:49186, 10.7.1.4:80, TCP:SEC
      pass/1467520595, Jul 3 20:21:34, WAN, 10.7.0.5:49192, 10.7.1.4:80, TCP:SEC
      pass/1467520595, Jul 3 21:08:51, WAN, 10.7.0.5:49193, 10.7.1.4:80, TCP:SEC
      pass/1467520595, Jul 3 21:10:03, WAN, 10.7.0.5:49194, 10.7.1.4:80, TCP:SEC

      Wireshark trace from the web server traffic should be redirected to (10.7.1.4) shows no packets with tcp.port eq 80 and ip.src==10.7.0.5

      Its like the packets aren't getting to the web server at all, even though the firewall rule allows and the NAT is set up.

      If, from 10.7.0.5 I open a browser and type in the web server address directly (10.7.1.4) I get the site returned fine. This proves to me that the Azure fabric is routing the packets from the 10.7.0.0/29 to the 10.7.1.0/24 subnet.

      Questions: Did I miss anything in the NAT setup? Shouldn't the pfSense appliance send packets to its default gateway not on its own subnet (Gateway IPv4 10.7.0.1)? Is there other diagnostic data I can look at or provide?

      Thanks in advance,
      Steve

      1 Reply Last reply Reply Quote 0
      • First post
        Last post