Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    nat/port forward and routing misconfigurtion ?

    NAT
    2
    4
    94
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      B_IT last edited by

      Hi everyone,

      I'm working with a pfsense for some time now. Recently I experienced a behavior of pfsense that I do not fully understand. I hope that some of you already had something similar and help me to understand - Maybe I just did something wrong
      To the point:

      my networks:
      untagged network is 192.168.0.0/22
      vlan80 network is 192.168.80.0/23

      host 192.168.80.2 (vlan 80) -> L3 SWITCH -> LAN | PFSENSE BOX (router, Internet) | LAN <- SWITCH untagged vlan 1

      PFSENSE BOX configuration:

      System\Routing\Static Routes

      Network
      192.168.80.0/23
      Gateway
      L3 SWITCH
      Interface
      LAN

      Temporary I set firewall to allow all TCP/UDP communication between networks. Everything is working fine except one port. When I try to get from the 192.168.0.0/22 network to the vlan80 network on the port 5900 (vnc) I bounce off the PFSENSE BOX (from the WAN address) with the a message "destination is not recheable"

      when I delete this rule communication on port 5900 works:

      Firewall \ NAT \ Port Forward

      Interface
      WAN
      Protocol
      TCP
      Source Address
      *
      Source Ports
      *
      Dest. Address
      WAN Net
      Dest. Ports
      5900
      NAT IP
      192.168.0.100
      NAT Ports
      5900

      Why this rule affect LAN communication? Could someone explain to me why WAN IP Address responding me o LAN Internet?

      1 Reply Last reply Reply Quote 0
      • Derelict
        Derelict LAYER 8 Netgate last edited by

        Why this rule affect LAN communication?

        It wouldn't. We'll probably need to see the interface configurations and firewall rules for both the LAN and VLAN80 interfaces and a detailed description of exactly what is not working. As in what is the source address, destination address, protocol, and port.

        On an unrelated note the destination of your NAT should probably be WAN accress not WAN net.

        Chattanooga, Tennessee, USA
        The pfSense Book is free of charge!
        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • B
          B_IT last edited by

          Hi Derelict, thank you for an answer,

          LAN is defined this way only:
          <lan>
          <ipaddr>192.168.2.254</ipaddr>
          <subnet>22</subnet>
          </lan>
          and we don't have a separate interface for vlan80. VLAN80 (in fact only his subnet) is used only in "static routes" section and for that network there is a defined gateway (L3 switch)
          Everything is pushed via the LAN interface (there are no interface groups, Wireless, VLANs and so on defined)

          a FW rule:
          Protocol
          IPv4 TCP/UDP
          Source
          192.168.80.0/23
          Port
          *
          Destination
          *
          Port
          *
          Gateway
          *
          Queue
          none

          to be honest we have got about 50 rules on FW in LAN section, but the rule above was the one were this subnet (192.168.80.0/23) was used.

          1 Reply Last reply Reply Quote 0
          • Derelict
            Derelict LAYER 8 Netgate last edited by

            What?

            Post screenshots of all of this please.

            Chattanooga, Tennessee, USA
            The pfSense Book is free of charge!
            DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post

            Products

            • Platform Overview
            • TNSR
            • pfSense
            • Appliances

            Services

            • Training
            • Professional Services

            Support

            • Subscription Plans
            • Contact Support
            • Product Lifecycle
            • Documentation

            News

            • Media Coverage
            • Press
            • Events

            Resources

            • Blog
            • FAQ
            • Find a Partner
            • Resource Library
            • Security Information

            Company

            • About Us
            • Careers
            • Partners
            • Contact Us
            • Legal
            Our Mission

            We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

            Subscribe to our Newsletter

            Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

            © 2021 Rubicon Communications, LLC | Privacy Policy