Issue with pfSense config in Azure
-
Requesting configuration help for a pfSense setup in Azure…
Setup:
Perimeter Subnet 10.7.0.0/29- wgpfsense1 (10.7.0.4)
- testvm (10.7.0.5)
Web Subnet 10.7.1.0/24
- WGWEB1 (10.7.1.4)
Goal: Have testvm enter 10.7.0.4 in a browser and have the traffic be directed to 10.7.1.4 (standard Port Forward I think). Note that pfsense has a single interface...Azure is handling the routing.
I have a NAT rule in place:
If: WAN
Protocol: TCP/UDP
Src addr: *
Src ports: *
Dest. addr: WAN address
Dest. ports: 80
NAT IP: WGWEB1 (alias)
NAT Ports: 80And a FW rule (auto-generated when NAT rule was created):
Action: Pass
Proto: TCP/UDP
Source: *
Port: *
Dest: WGWEB1
Port: 80When I try to browse from a server in the perimeter network (10.7.0.5) to http://10.7.0.4 I get back ERR_EMPTY_RESPONSE.
Packet Capture from browse attempt
21:10:02.971756 IP 10.7.0.5.49194 > 10.7.0.4.80: tcp 0
21:10:02.971810 IP 10.7.0.5.49194 > 10.7.1.4.80: tcp 0
21:10:03.960732 IP 10.7.0.5.49194 > 10.7.0.4.80: tcp 0
21:10:03.960759 IP 10.7.0.5.49194 > 10.7.1.4.80: tcp 0
21:10:05.975642 IP 10.7.0.5.49194 > 10.7.0.4.80: tcp 0
21:10:05.975672 IP 10.7.0.5.49194 > 10.7.1.4.80: tcp 0Firewall log from same browse attempt
Act Time If Source Destination Proto
pass/1467520595, Jul 3 04:46:36, WAN, 10.7.0.5:49307, 10.7.1.10:80, TCP:SEC
pass/1467520595, Jul 3 20:20:55, WAN, 10.7.0.5:49186, 10.7.1.4:80, TCP:SEC
pass/1467520595, Jul 3 20:21:34, WAN, 10.7.0.5:49192, 10.7.1.4:80, TCP:SEC
pass/1467520595, Jul 3 21:08:51, WAN, 10.7.0.5:49193, 10.7.1.4:80, TCP:SEC
pass/1467520595, Jul 3 21:10:03, WAN, 10.7.0.5:49194, 10.7.1.4:80, TCP:SECWireshark trace from the web server traffic should be redirected to (10.7.1.4) shows no packets with tcp.port eq 80 and ip.src==10.7.0.5
Its like the packets aren't getting to the web server at all, even though the firewall rule allows and the NAT is set up.
If, from 10.7.0.5 I open a browser and type in the web server address directly (10.7.1.4) I get the site returned fine. This proves to me that the Azure fabric is routing the packets from the 10.7.0.0/29 to the 10.7.1.0/24 subnet.
Questions: Did I miss anything in the NAT setup? Shouldn't the pfSense appliance send packets to its default gateway not on its own subnet (Gateway IPv4 10.7.0.1)? Is there other diagnostic data I can look at or provide?
Thanks in advance,
Steve