nat/port forward and routing misconfigurtion ?



  • Hi everyone,

    I'm working with a pfsense for some time now. Recently I experienced a behavior of pfsense that I do not fully understand. I hope that some of you already had something similar and help me to understand - Maybe I just did something wrong
    To the point:

    my networks:
    untagged network is 192.168.0.0/22
    vlan80 network is 192.168.80.0/23

    host 192.168.80.2 (vlan 80) -> L3 SWITCH -> LAN | PFSENSE BOX (router, Internet) | LAN <- SWITCH untagged vlan 1

    PFSENSE BOX configuration:

    System\Routing\Static Routes

    Network
    192.168.80.0/23
    Gateway
    L3 SWITCH
    Interface
    LAN

    Temporary I set firewall to allow all TCP/UDP communication between networks. Everything is working fine except one port. When I try to get from the 192.168.0.0/22 network to the vlan80 network on the port 5900 (vnc) I bounce off the PFSENSE BOX (from the WAN address) with the a message "destination is not recheable"

    when I delete this rule communication on port 5900 works:

    Firewall \ NAT \ Port Forward

    Interface
    WAN
    Protocol
    TCP
    Source Address
    *
    Source Ports
    *
    Dest. Address
    WAN Net
    Dest. Ports
    5900
    NAT IP
    192.168.0.100
    NAT Ports
    5900

    Why this rule affect LAN communication? Could someone explain to me why WAN IP Address responding me o LAN Internet?


  • LAYER 8 Netgate

    Why this rule affect LAN communication?

    It wouldn't. We'll probably need to see the interface configurations and firewall rules for both the LAN and VLAN80 interfaces and a detailed description of exactly what is not working. As in what is the source address, destination address, protocol, and port.

    On an unrelated note the destination of your NAT should probably be WAN accress not WAN net.



  • Hi Derelict, thank you for an answer,

    LAN is defined this way only:
    <lan>
    <ipaddr>192.168.2.254</ipaddr>
    <subnet>22</subnet>
    </lan>
    and we don't have a separate interface for vlan80. VLAN80 (in fact only his subnet) is used only in "static routes" section and for that network there is a defined gateway (L3 switch)
    Everything is pushed via the LAN interface (there are no interface groups, Wireless, VLANs and so on defined)

    a FW rule:
    Protocol
    IPv4 TCP/UDP
    Source
    192.168.80.0/23
    Port
    *
    Destination
    *
    Port
    *
    Gateway
    *
    Queue
    none

    to be honest we have got about 50 rules on FW in LAN section, but the rule above was the one were this subnet (192.168.80.0/23) was used.


  • LAYER 8 Netgate

    What?

    Post screenshots of all of this please.


Log in to reply