NAT Portforwarding - tcpdump - Debug (Packet Capture) - difference

  • Hi,

    have here some trouble with an new pfsense & NAT Port Forwarding.

    tcpdump -n -i vmx5

    11:49:19.550967 IP x.x.190.16.30490 > x.x.190.20.443: Flags ~~, seq 4086420366, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1489436623 ecr 0

    This packet does not arrive in the pfsense Packet Capture trace for this interface, but I can see other traffic here.
    Have switched on the FW rule logging, but there is nothing in the logs. The NAT rule should forward https to a internal box.

    How to debug, which component causes the drop?



  • LAYER 8 Global Moderator

    What do you mean doesn't show up in pfsense packet capture.. If it doesnt show up in the pfsense packet capture - then pfsense is not seeing it..  And now you can not forward it.

    Your issues is with your VM setup if you see it on the hosts nic, but pfsense is not seeing it.

  • Hi,

    to clarify.

    I performed a ssh to pfsense und entered "8" shell (in the pfsense VM).

    Then I entered:

    root: tcpdump -n -i vmx5 host x.x.x.16
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on vmx5, link-type EN10MB (Ethernet), capture size 65535 bytes
    14:00:08.777371 ARP, Request who-has x.x.x.20 (ff:ff:ff:ff:ff:ff) tell x.x.x.16, length 46
    14:00:08.777393 ARP, Reply x.x.x.20 is-at 00:50:56:98:e9:69, length 28
    14:00:08.778531 IP x.x.x.16.23812 > x.x.x.20.443: Flags ~~, seq 585814211, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1496915945 ecr 0,sackOK,eol], length 0
    14:00:09.977839 IP x.x.x.16.23812 > x.x.x.20.443: Flags ~~, seq 585814211, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1496916945 ecr 0,sackOK,eol], length 0
    14:00:11.179268 IP x.x.x.16.23812 > x.x.x.20.443: Flags ~~, seq 585814211, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1496917945 ecr 0,sackOK,eol], length 0

    I can see the packet in the VM tcpdump trace in pfsense, so it arrives at the VMs ethernet adapter.

    In the packet capture trace on pfsense side (http://fwwan/diag_packet_capture.php), I see a lot of ARP packets BUT NOT the previous tcpdumped packet.

    I would like to understand who dropped the packet in between?



  • LAYER 8 Global Moderator

    ok so that is the wan of pfsense seeing the packet, but your saying you can not see these packets via packet capture in pfsense using the same interface?

    Is this IP public or private that is sending the traffic?

    Do you do the same capture on the interface the traffic is suppose to be forwarded too?

    Have you gone through the troubleshooting doc?

  • Ho Johnpoz,

    it's a public IPV4 IP (we own 5) and yes I followed the instructions but no hit.
    I assume that this is my fault, I had not touched a pfsense before (only a couple of other enterprise FW products) but I have no idea what's wrong.
    A NAT forwarding rule/FW rule (for 443) exists, the internal IP and port in the NAT rule are okay, I can ping this address from the pfsense shell
    and receive traffic on the WAN/LAN interface.



  • Hi,

    have to mention that I use the Interface OPT4 / not WAN.
    Is there any different here ?



  • LAYER 8 Global Moderator

    "have to mention that I use the Interface OPT4 / not WAN."

    Well if your not using wan then you have to make sure your forward is using the correct interface..  Why would you not be using wan for your internet connection?

    "it's a public IPV4 IP (we own 5) and yes"

    So is this to 1 of the 5 IPs, you set them up as VIPs?  Or is this to the IP on the actual interface?

  • In fact we have 5 static public IPs plus 1 dynamic public IP (Backup).
    Because we need 5 times inbound port 443 (IT consulting company, e.g. for banks, Tecos etc, ask there for a FW change) to reach internal services and our ISP supports no subnet routing, I have to define 6 WAN interfaces. Any other way?


  • have also to mention, for SURE I tcpdumped and caputured the package trace on the OPT4 (for my purpose WAN) port und defined the NAT and FW rules for the interface.
    But I see no tagging in then pfsense interface definition to define OPT4 is WAN or DMZ or LAN  ….

  • LAYER 8 Global Moderator

    "I have to define 6 WAN interfaces. Any other way?"

    Huh???  You would normally just put the vips on the interface actually connected.  I don't even think pfsense will let you bring up another interface in the same network??  So at a complete lost to what you have done.

    If you have been given say where gateway is and you can use .2 -.6  You would say give pfsense the .2, then create VIPs on this interface for your .3, .4, etc.  You would then forward your traffic that hits your different vips.. Ie if dest is port 80 forward to, if hit .5 then, etc.

    You can name optX anything you want.  If you gave it a gateway on the interface then it would auto think its a "wan" interface and allow for natting to this interface, etc.  This is how you bring up different wan connections when you have different ISPs etc.

    But again I am like 99.99% sure pfsense will not let you create another interface and put an IP on it that overlaps another interfaces network..  So what you have done I have no idea.

Log in to reply