Port forward not forwarding (yes, yet another thread.)
-
Hello.
I can't get port forwarding to work. Now, I've done it before a fair number of times. On m0n0wall, on pfSense elsewhere, etc. It's not like how to do it is a great mystery, either. But I must be missing something, so maybe someone else can spot it.
Yes, I have read https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting and considered 1-15 and I can't see any of those that might apply, except possibly the missing Virtual IP section. Currently, I have just the one on the WAN, .8.34 which is the CARP (and there are virtual carp IP's for all the internal LANs also, there are 4.)
We have two IP ranges, /28's (16 addresses). pfSense uses three of those (x.x.8.34, .35 and .36, with .34 being the shared CARP.)
I'm trying to forward .8.42 to the internal address 192.168.27.15, and it seems straightforward. It's just not working.
Attached the settings for the NAT rule and the associated FW rule.
The target machine has its firewall turned off entirely. The web server serves up port 443 just fine on the local network. It's gateway is set to 192.168.27.1, the firewall CARP ip.
Portscanning the .8.42 address from Mxtoolbox for instance shows 443 is closed. Trying to connect to the remote desktop gateway in this case from an external address doesn't work.
I'm sure it may be something simple, but I'll be hanged if I can figure it out.
-
So per the troubleshooting doc, you sniffed on the wan see this traffic, and then sniffed on the lan and don't see it go to where your forwarding, or you do see it forwarded?
-
Yes, I have read https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting and considered 1-15 and I can't see any of those that might apply, except possibly the missing Virtual IP section. Currently, I have just the one on the WAN, .8.34 which is the CARP (and there are virtual carp IP's for all the internal LANs also, there are 4.)
If you want to port forward 8.42 you need a VIP on WAN for 8.42. Make it type IP Alias and for Interface choose the WAN CARP VIP (8.34).
-
Ahh, so for all the 16 external IP's I have (except the 3 used by the fw's and CARP), I set up an IP Alias to point at the CARP VIP?
I had a feeling it had something to do with the fact that I'm trying to forward to addresses that aren't the actual WAN one, and was looking at issue 7 in the guide, but couldn't really wrap my head around it off hand. Thanks, I'll give that a whirl, appreciate it.
Edit: Great! That fixed it. No more cranky users. Thanks for the ELI5 explanation.