Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HELP PLEASE - NON TRANSPARENT PROXY WONT FORWARD PORTS

    Scheduled Pinned Locked Moved NAT
    9 Posts 3 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fagoti
      last edited by

      Hi there i've been using pfsense only for a week, so far so good, great things about it.

      but i got stuck with this issue.

      i forwarded several ports to some services on my network,
      and they work like:
        connections to my wan from outside (internet) are redirected to a local ip on the correct port ->> WORKING OK
        connections to my wan from inside (local network) (without proxy defined) are redirected to a local ip on the correct port ->> WORKING OK

      what i need now, and im struggling to is
        connections to my wan from inside (local network) (WITH proxy defined) to get redirect to local ip on the correct port

      what is happening, whay should i do???

      obs: some more info to ilustrate the problem

      wan 111.111.111.111 (not the real ip of course)

      nat  redirect 111.111.111.111 on port 3306 to local 1.1.1.1 on port 3306

      i have non transparent proxy enabled on 3128

      i have squid guard disabled

      i have turned on:
      Enable NAT Reflection for 1:1 NAT
      Enable automatic outbound NAT for Reflection

      and with this, local access to that nat is granted, but only if i uncheck proxy on the machine.

      but if i turn proxy on the local machine, that nat wont work anymore

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        what is happening, whay should i do???

        Stop going out and then back in again.

        https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

        Configure your DNS so that external hostnames resolve to internal IP addresses.  For example with your numbers, configure internal DNS so that www.yourdomain.ext resolves to 1.1.1.1 instead of 111.111.111.111.  This is known as split DNS and is the second option in my link.

        1 Reply Last reply Reply Quote 0
        • F
          fagoti
          last edited by

          Hi Kom, first of all, thanks for the reply,

          you kinda nailed, but the thing i forgot to mention is that i have more nats, to different ips.

          so it goes like this:

          wan 111.111.111.111 (not the real ip of course)

          nat  redirect 111.111.111.111 on port 3306 to local 1.1.1.1 on port 3306
          nat  redirect 111.111.111.111 on port 5656 to local 1.1.1.2 on port 5656
          nat  redirect 111.111.111.111 on port 5657 to local 1.1.1.3 on port 5657
          nat  redirect 111.111.111.111 on port 5658 to local 1.1.1.4 on port 5658

          i did that dns split thing you mentioned, and i got 1.1.1.1 working internal with proxy enabled..
          but then i realized.. shit,,,.. how will i address all my other services in those ips (1.2,1.3,1.4)?

          thanks again!

          obs: there is another problem , i need the actual ip address working

          i have these two links in a website:
          http://111.111.111.111:3306    ->  1.1.1.1
          http://111.111.111.111:5656  ->  1.1.1.2

          i need it working from everywhere. (outside, inside with proxy on, inside with proxy off)

          with the splitdns i could make www.example.com:3306 ok to all local  but not the outside viewers, and on top of that, i can only address 1 lan ip…

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by

            OK, now you are getting into waters too deep for me ;D

            I don't know if you can get NAT Reflection working in conjunction with the proxy.

            1 Reply Last reply Reply Quote 0
            • F
              fagoti
              last edited by

              No problem, still, i'm very curious about it.

              I managed to work around it by setting along with my proxy gpo, a gpo exclusion to that 111.111.111.111 address,
              so when it hit that address it bypasses the proxy, therefore acting like proxy disable and then working all alright.

              not an elegant solution, since i hate gpos and all the windows crazy behaviors… but anyway,
              better then nothing..

              i will be coming here to check if someone has a better solution that can be done in the pfsense alone.

              thanks for your time KOM

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                Oh gawd what a mess.. you could of picked better example ips 111.111.111.111 as public and 1.1.1.1 ad your internal… Make your head spin..

                There is really never a reason to try and obfuscate your internal rfc1918 address.  If you want to use a fake wan ok.. but how about say the documentation networks

                192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24 or the common 1.2.3.4 this is clearly a fake public IP, etc.

                So you say you use fqdn www.example.com that points to your single public IP.  But you use ports with this fqdn to get to different servers behind your nat

                www.example.com:1234 goes to 192.168.1.100:1234
                www.example.com:4567 goes to 192.168.1.200:4567

                What services is on these ports? http/https?

                Why can you not just use a reverse proxy and different name so serverA.example.com goes to 192.168.1.100 and serverB.example.com goes to 192.168.1.200?

                You should always use different fqdn to represent a different machine, or virtual site on the same httpd, etc.  Using ports is a work around for when you only have 1 public IP and can not use a reverse proxy to forward traffic based upon the fqdn.

                What services are you dealing with - is it just http/https?  Why all the oddball ports?

                If you use a reverse proxy for your outside users, then you can use the same fqdn inside with just split dns..  Best solution if you have all these different IPs internally you need to forward to is get more public IPs ;)

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • F
                  fagoti
                  last edited by

                  Hi johnpoz, thanks for the reply

                  you see, we have been using direct ips and ports for a long time, mainly because we didnt have a firewall to trust on better solutions.

                  but anyway, that fqdn solution you gave could be something i've been meaning to do.

                  would you care to explain how can i pull it from pfsense, in a way a begginer can understand?

                  so in the end, using your example, i'd like to have

                  servera.example.com  -> 192.168.0.100:1234  (still think its really easier to type 1.1.1.1 rsrsrs)
                  serverb.example.com  -> 192.168.0.200:4567

                  using only http, but i will be moving to https sometime in a near future.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    Might be easier to type sljfdsljdlfjdslfjdslsdfjfljdsljdlsjfdsljdfsljdfslfj but what is easier to understand ;)

                    So this is just http.. So why is in not just served up on 80??

                    But if you want serverA.domain.tld to go to .100 machine and serverB.domain.tld to go to .200 machine regardless of what ports you might throw into the url then just install a reverse proxy package - squid off the packages prob the easy choice but I do believe you could also use the haproxy package.  Install squid then services reverse proxy and follow the bouncing ball ;)

                    Then setup either wildcard or A records or cnames even so your different names you want to use all resolve to your public IP not just the 1 fqdn.

                    I don't see any reverse proxy in the docs, maybe that should be corrected.. But it really should be fill in the blanks..  Been a while since I played with it - but if you need some walk through, I could prob throw that together and put in the docs.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • F
                      fagoti
                      last edited by

                      thanks replying.

                      i will be looking into it,

                      if you care enough, it would save a lot of time by appending this to the docs.

                      thanks in advance.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.