[solved] NAT: WAN->LAN OK, WAN->OPT broken

  • Hi everyone,

    I'm trying to set up a rather simple NAT to my DMZ (on OPT1) and just can't make it work.

    The setup is:
    pfsense w. 3 Interfaces
    -WAN (PPPoE)
    -LAN ( 10.1.1.x)
    DMZ ( 10.4.x.x)

    Port forwarding to several machines on LAN is working fine and has been for years.
    Now I want to add port forwarding for TCP to a DMZ Box.

    The rules look alike to
    WAN TCP 3127 honeypot(ext.: 3127

    where honeypot is an alias to 10.4.xx.yy

    IP's are not messed up, routing between DMZ and LAN works just fine.

    The rules are present in /tmp/rules.debug, too:
    rdr on ng0 proto tcp from any to (ng0IP) port { 3127 } -> 10.4.xx.yy
    (one example)

    I also set logging on the permit rules on WAN, so I can see incoming packets on pflog:

    2. 685047 rule 381/0(match): pass in on ng0: (my-would-be-attacker-root-server) > 10.4.xx.yy.3127: S 4117993112:4117993112(0) win 5840 <mss 1452,sackok,timestamp[|tcp]="">However, running tcpdump on sis2 (the opt1/DMZ Interface) reveals no packets.
    Packets sent from LAN do show up, just packets from the WAN vanish.

    So, what do I miss?
    I assume, I verified, that:

    1. Packets arrive at WAN, so ISP does not block them
    2. rdr actually works, as revealed by pflog
    3. pass rule works, as confirmed by pflog
    4. pfsense knows, where to send the packets as revealed by test from LAN and arp entries.

    nmap from the WAN-sided root server tells me "filtered"
    and diag_states says

    tcp (would-be-attacker):47531 -> 10.4.xx.yy:3127 SYN_SENT:CLOSED</mss>

  • It won't work, if you do not disable captive portal on OPT1.

    If you do, so does NAT.

Log in to reply