NAT port forward - What am I doing wrong?

shlomia

Hi,

I'm trying to create a simple NAT rule:

Source Address *
Source Ports *
Dest. Address MyExternalIP
Dest. Ports 80
NAT IP 192.168.30.109 ( My webserver )
NAT Ports 80

Now, when I try to go to my ExternalIP, I get:

The connection has timed out

when I go to 192.168.30.109 directly, I get my default web site..

Am I missing something? I didn't configure it properly ?

KOM

1. Are you testing from LAN or WAN?  Test from WAN.

2. Is your pfSense WebGUI listening on that same port and IP address?

3  Do you have the complimentary WAN rule that allows the forward to pass traffic?  This is usualyl auto-created when you create the NAT rule, but best to check.

shlomia

@KOM:

1. Are you testing from LAN or WAN?  Test from WAN.

2. Is your pfSense WebGUI listening on that same port and IP address?

3  Do you have the complimentary WAN rule that allows the forward to pass traffic?  This is usualyl auto-created when you create the NAT rule, but best to check.

Hi, Thank you for the reply.
1. I'm testing from WAN, I test it by hosts file change though.
2. my pfSense WebGUI is listening on a different port and use a different IP.
3. Yes I have that rule.

Grimson

https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

KOM

I'm testing from WAN, I test it by hosts file change though.

Sorry, what?  Hosts file change??  What do you mean by this?

shlomia

@KOM:

I'm testing from WAN, I test it by hosts file change though.

Sorry, what?  Hosts file change??  What do you mean by this?

I mean, I have a site on my webserver with hostname the example.com listening to port 80 so I just try to put my new NAT forwarded IP in  the hosts file

shlomia

Let me explain it a little bit better.

My topology is like that:

Firewall > Squid > Webserver.

So when I configure my external IP to forward to squid, and from squid to webserver, it does work.
when I configure my external IP to forward to my webserver directly, it doesnt work.
on my webserver I don't have any local firewall.

KOM

Again, what hosts file??  ON your client system??

It's usually pretty straight-forward.  Assuming your web server works as expected from LAN, a NAT of 80 to it should just work.  I've never used Squid as a reverse proxy for the servers I have here.  It just works.  Perhaps post screenshots of your NATs & WAN rules, with public details obscured.

You said you have pfSense WAN on a different IP address.  Are you using Virtual IPs to handle your NAT?

shlomia

@KOM:

Again, what hosts file??  ON your client system??

It's usually pretty straight-forward.  Assuming your web server works as expected from LAN, a NAT of 80 to it should just work.  I've never used Squid as a reverse proxy for the servers I have here.  It just works.  Perhaps post screenshots of your NATs & WAN rules, with public details obscured.

You said you have pfSense WAN on a different IP address.  Are you using Virtual IPs to handle your NAT?

Yes, Hosts file on my client system, I just use this instead of changing the DNS of my hostname.
I'm using virtual IP to handle my NAT.
I will post screen shots asap

chpalmer

Firewall on webserver?

Grimson

@shlomia:

Yes, Hosts file on my client system, I just use this instead of changing the DNS of my hostname.

Then you are still testing from LAN, because the request is entering pfSense from the LAN interface.

KOM

As Grimson said, you're still testing from LAN.  Use your phone (not on Wifi!) or someone else's PC not on your network to test.  For virtual IP, you're using an IP Alias type of VIP?

shlomia

I'm using virtual IP alias.
and for the Hosts testing, I'm testing from a PC outside of my network..

KOM

You mentioned squid before.  Are you using it as a reverse proxy?

shlomia

@KOM:

You mentioned squid before.  Are you using it as a reverse proxy?

I'm using it as transparent proxy, I just use it to redirect my websites to the internal webserver IP..
I have to mention that when I put my webserver IP as NAT IP, it doesnt work. when I put my squid IP as NAT IP, it works..

KOM

Use pfSense's traffic sniffer on WAN and LAN to see if the requests are hitting your WAN, and to see if they're going out to LAN.  Does your web server see any incoming traffic from your tests in its log?

shlomia

I have done some tests, so as I said.
when I create the following rule:

Source Address - *
Source Ports - *
Destination Address - ExternalIP(62.0.67.1)
Destination Ports - 80
NAT IP - SquidIP(192.168.30.4)
NAT Port - 1080 ( Squid Port )

It seems to work, when only when squid is the middle man.
My squid is set as transparent proxy and just redirects to my webserver which is in the same lan. ( everything is in the same lan )

Now, When I don't want to use squid, I create  the following rule:
Source Address - *
Source Ports - *
Destination Address - ExternalIP(62.0.67.1)
Destination Ports - 80
NAT IP - Web Server IP(192.168.30.5)
NAT Port - 80

It doesn't work, I get timed out.

Now, I tried to Capture Packets when pfsense:
WAN -
11:25:27.363309 IP 212.199.90.10.36976 > 62.0.67.1.80: tcp 0
11:25:30.362450 IP 212.199.90.10.36976 > 62.0.67.1.80: tcp 0
11:25:36.362645 IP 212.199.90.10.36976 > 62.0.67.1.80: tcp 0
11:25:48.374788 IP 212.199.90.10.36990 > 62.0.67.1.80: tcp 0
11:25:48.625828 IP 212.199.90.10.36994 > 62.0.67.1.80: tcp 0

LAN -
11:28:37.402013 IP 212.199.90.10.37258 > 192.168.30.5.80: tcp 0
11:28:40.404922 IP 212.199.90.10.37258 > 192.168.30.5.80: tcp 0
11:28:46.405093 IP 212.199.90.10.37258 > 192.168.30.5.80: tcp 0
11:28:58.416887 IP 212.199.90.10.37270 > 192.168.30.5.80: tcp 0
11:28:58.667985 IP 212.199.90.10.37272 > 192.168.30.5.80: tcp 0
11:29:01.415594 IP 212.199.90.10.37270 > 192.168.30.5.80: tcp 0
11:29:01.667845 IP 212.199.90.10.37272 > 192.168.30.5.80: tcp 0
11:29:07.413293 IP 212.199.90.10.37270 > 192.168.30.5.80: tcp 0
11:29:07.666085 IP 212.199.90.10.37272 > 192.168.30.5.80: tcp 0

I don't get any packets with wireshark on the webserver as well.
Windows firewall is disabled on the webserver and there is no any firewall between..

shlomia

Here is an update:

https://i.imgur.com/pezs341.png

This are the result from wireshark, I created a new web server, NAT'd to him, I do get some packets on wireshark but I still get time out in my browser.

KOM

You know you can embed images here directly eh?

I'm not sure why you keep mentioning squid.  Squid is a web proxy for LAN users going out.  It can also be used as a reverse proxy, but single guy at home with one web server doesn't really fall into the typical use case for reverse proxy.  I wonder if that may be the root of your problem.  A straight port 80/tcp port-forward is usually the easiest thing in the world.