HELP PLEASE - NON TRANSPARENT PROXY WONT FORWARD PORTS



  • Hi there i've been using pfsense only for a week, so far so good, great things about it.

    but i got stuck with this issue.

    i forwarded several ports to some services on my network,
    and they work like:
      connections to my wan from outside (internet) are redirected to a local ip on the correct port ->> WORKING OK
      connections to my wan from inside (local network) (without proxy defined) are redirected to a local ip on the correct port ->> WORKING OK

    what i need now, and im struggling to is
      connections to my wan from inside (local network) (WITH proxy defined) to get redirect to local ip on the correct port

    what is happening, whay should i do???

    obs: some more info to ilustrate the problem

    wan 111.111.111.111 (not the real ip of course)

    nat  redirect 111.111.111.111 on port 3306 to local 1.1.1.1 on port 3306

    i have non transparent proxy enabled on 3128

    i have squid guard disabled

    i have turned on:
    Enable NAT Reflection for 1:1 NAT
    Enable automatic outbound NAT for Reflection

    and with this, local access to that nat is granted, but only if i uncheck proxy on the machine.

    but if i turn proxy on the local machine, that nat wont work anymore



  • what is happening, whay should i do???

    Stop going out and then back in again.

    https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

    Configure your DNS so that external hostnames resolve to internal IP addresses.  For example with your numbers, configure internal DNS so that www.yourdomain.ext resolves to 1.1.1.1 instead of 111.111.111.111.  This is known as split DNS and is the second option in my link.



  • Hi Kom, first of all, thanks for the reply,

    you kinda nailed, but the thing i forgot to mention is that i have more nats, to different ips.

    so it goes like this:

    wan 111.111.111.111 (not the real ip of course)

    nat  redirect 111.111.111.111 on port 3306 to local 1.1.1.1 on port 3306
    nat  redirect 111.111.111.111 on port 5656 to local 1.1.1.2 on port 5656
    nat  redirect 111.111.111.111 on port 5657 to local 1.1.1.3 on port 5657
    nat  redirect 111.111.111.111 on port 5658 to local 1.1.1.4 on port 5658

    i did that dns split thing you mentioned, and i got 1.1.1.1 working internal with proxy enabled..
    but then i realized.. shit,,,.. how will i address all my other services in those ips (1.2,1.3,1.4)?

    thanks again!

    obs: there is another problem , i need the actual ip address working

    i have these two links in a website:
    http://111.111.111.111:3306    ->  1.1.1.1
    http://111.111.111.111:5656  ->  1.1.1.2

    i need it working from everywhere. (outside, inside with proxy on, inside with proxy off)

    with the splitdns i could make www.example.com:3306 ok to all local  but not the outside viewers, and on top of that, i can only address 1 lan ip…



  • OK, now you are getting into waters too deep for me ;D

    I don't know if you can get NAT Reflection working in conjunction with the proxy.



  • No problem, still, i'm very curious about it.

    I managed to work around it by setting along with my proxy gpo, a gpo exclusion to that 111.111.111.111 address,
    so when it hit that address it bypasses the proxy, therefore acting like proxy disable and then working all alright.

    not an elegant solution, since i hate gpos and all the windows crazy behaviors… but anyway,
    better then nothing..

    i will be coming here to check if someone has a better solution that can be done in the pfsense alone.

    thanks for your time KOM


  • LAYER 8 Global Moderator

    Oh gawd what a mess.. you could of picked better example ips 111.111.111.111 as public and 1.1.1.1 ad your internal… Make your head spin..

    There is really never a reason to try and obfuscate your internal rfc1918 address.  If you want to use a fake wan ok.. but how about say the documentation networks

    192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24 or the common 1.2.3.4 this is clearly a fake public IP, etc.

    So you say you use fqdn www.example.com that points to your single public IP.  But you use ports with this fqdn to get to different servers behind your nat

    www.example.com:1234 goes to 192.168.1.100:1234
    www.example.com:4567 goes to 192.168.1.200:4567

    What services is on these ports? http/https?

    Why can you not just use a reverse proxy and different name so serverA.example.com goes to 192.168.1.100 and serverB.example.com goes to 192.168.1.200?

    You should always use different fqdn to represent a different machine, or virtual site on the same httpd, etc.  Using ports is a work around for when you only have 1 public IP and can not use a reverse proxy to forward traffic based upon the fqdn.

    What services are you dealing with - is it just http/https?  Why all the oddball ports?

    If you use a reverse proxy for your outside users, then you can use the same fqdn inside with just split dns..  Best solution if you have all these different IPs internally you need to forward to is get more public IPs ;)



  • Hi johnpoz, thanks for the reply

    you see, we have been using direct ips and ports for a long time, mainly because we didnt have a firewall to trust on better solutions.

    but anyway, that fqdn solution you gave could be something i've been meaning to do.

    would you care to explain how can i pull it from pfsense, in a way a begginer can understand?

    so in the end, using your example, i'd like to have

    servera.example.com  -> 192.168.0.100:1234  (still think its really easier to type 1.1.1.1 rsrsrs)
    serverb.example.com  -> 192.168.0.200:4567

    using only http, but i will be moving to https sometime in a near future.


  • LAYER 8 Global Moderator

    Might be easier to type sljfdsljdlfjdslfjdslsdfjfljdsljdlsjfdsljdfsljdfslfj but what is easier to understand ;)

    So this is just http.. So why is in not just served up on 80??

    But if you want serverA.domain.tld to go to .100 machine and serverB.domain.tld to go to .200 machine regardless of what ports you might throw into the url then just install a reverse proxy package - squid off the packages prob the easy choice but I do believe you could also use the haproxy package.  Install squid then services reverse proxy and follow the bouncing ball ;)

    Then setup either wildcard or A records or cnames even so your different names you want to use all resolve to your public IP not just the 1 fqdn.

    I don't see any reverse proxy in the docs, maybe that should be corrected.. But it really should be fill in the blanks..  Been a while since I played with it - but if you need some walk through, I could prob throw that together and put in the docs.



  • thanks replying.

    i will be looking into it,

    if you care enough, it would save a lot of time by appending this to the docs.

    thanks in advance.


Log in to reply