[solved] NAT: WAN->LAN OK, WAN->OPT broken
-
Hi everyone,
I'm trying to set up a rather simple NAT to my DMZ (on OPT1) and just can't make it work.
The setup is:
pfsense w. 3 Interfaces
-WAN (PPPoE)
-LAN ( 10.1.1.x)
DMZ ( 10.4.x.x)Port forwarding to several machines on LAN is working fine and has been for years.
Now I want to add port forwarding for TCP to a DMZ Box.The rules look alike to
WAN TCP 3127 honeypot(ext.: 91.55.55.139) 3127where honeypot is an alias to 10.4.xx.yy
IP's are not messed up, routing between DMZ and LAN works just fine.
The rules are present in /tmp/rules.debug, too:
rdr on ng0 proto tcp from any to (ng0IP) port { 3127 } -> 10.4.xx.yy
(one example)I also set logging on the permit rules on WAN, so I can see incoming packets on pflog:
2. 685047 rule 381/0(match): pass in on ng0: (my-would-be-attacker-root-server) > 10.4.xx.yy.3127: S 4117993112:4117993112(0) win 5840 <mss 1452,sackok,timestamp[|tcp]="">However, running tcpdump on sis2 (the opt1/DMZ Interface) reveals no packets.
Packets sent from LAN do show up, just packets from the WAN vanish.So, what do I miss?
I assume, I verified, that:- Packets arrive at WAN, so ISP does not block them
- rdr actually works, as revealed by pflog
- pass rule works, as confirmed by pflog
- pfsense knows, where to send the packets as revealed by test from LAN and arp entries.
nmap from the WAN-sided root server tells me "filtered"
and diag_states saystcp (would-be-attacker):47531 -> 10.4.xx.yy:3127 SYN_SENT:CLOSED</mss>
-
It won't work, if you do not disable captive portal on OPT1.
If you do, so does NAT.