Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port forwading using NAT dropping packets issue

    Scheduled Pinned Locked Moved NAT
    2 Posts 1 Posters 348 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kyriakoy
      last edited by

      Hi to all,

      I have a fairly simple network configuration with an internal LAN (192.168.1.x), a pfsense (2.4) box (10.0.0.20) and only one external IP (using a simple router) from my ISP provider.

      While I am migrating our old ISA solution to pfsense I face the following problem:
      I have to port forward multiple Nagios (nrpe) clients from the internal network to my unique external IP (different external ports) in order for our external Nagios server to communicate properly, but the nagios (nrpe) test command shows CHECK_NRPE: Socket timeout after 60 seconds.

      So with a straight forward process, I have set up a NAT rule from the external port to forward to an internal IP and port (internal Linux server) + automatic rule to firewall rules to allow traffic for this.

      So far :
      -I am running a test nmap command from my external server for both solutions (old working ISA and new pfsense)
      -I am running a test command from my external server for nagios (nrpe) communication for both solutions (old working ISA and new pfsense)
      -The pfsense log shows that the firewall rule works and pass the traffic to internal Linux client
      -I am running a tcpdump command to my internal Linux for both solutions (old working ISA and new pfsense)

      the results:

      for nmap from external server at working old ISA setup:
      nmap --reason xx.xx.xx.xxx -p 15667
      Starting Nmap 6.40 ( http://nmap.org ) at 2019-08-09 14:21 EEST
      Nmap scan report for xx.xx.xx.xxx
      Host is up, received echo-reply (0.077s latency).
      PORT STATE SERVICE REASON
      15667/tcp open unknown syn-ack

      for nmap from external server at new pfsense setup:
      nmap --reason xx.xx.xx.xxx -p 15667
      Starting Nmap 6.40 ( http://nmap.org ) at 2019-08-09 14:23 EEST
      Nmap scan report for xx.xx.xx.xxx (62.169.208.109)
      Host is up, received syn-ack (0.078s latency).
      rDNS record for xx.xx.xx.xxx: ipa109.211.myprovider.com
      PORT STATE SERVICE REASON
      15667/tcp filtered unknown no-response

      for tcpdump to internal linux box at working old ISA setup:
      root@MYINTERALLINUXSERVER:/etc/nginx/sites-available# tcpdump port 5666
      tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
      listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
      22:48:51.856839 IP nagios.myexternalserver.com.56233 > MYINTERALLINUXSERVER.nrpe: Flags [S], seq 1087712600, win 29200, options [mss 1304,sackOK,TS val 1625546298 ecr 0,nop,wscale 7], length 0
      22:48:51.856904 IP MYINTERALLINUXSERVER.nrpe > nagios.myexternalserver.com.56233: Flags [S.], seq 1775728356, ack 1087712601, win 14480, options [mss 1460,sackOK,TS val 70947103 ecr 1625546298,nop,wscale 6], length 0
      22:48:51.939986 IP nagios.myexternalserver.com.56233 > MYINTERALLINUXSERVER.nrpe: Flags [.], ack 1, win 229, options [nop,nop,TS val 1625546319 ecr 70947103], length 0
      22:48:51.946013 IP nagios.myexternalserver.com.56233 > MYINTERALLINUXSERVER.nrpe: Flags [P.], seq 1:126, ack 1, win 229, options [nop,nop,TS val 1625546319 ecr 70947103], length 125
      22:48:51.946047 IP MYINTERALLINUXSERVER.nrpe > nagios.myexternalserver.com.56233: Flags [.], ack 126, win 227, options [nop,nop,TS val 70947125 ecr 1625546319], length 0
      22:48:51.967912 IP MYINTERALLINUXSERVER.nrpe > nagios.myexternalserver.com.56233: Flags [P.], seq 1:217, ack 126, win 227, options [nop,nop,TS val 70947130 ecr 1625546319], length 216
      22:48:52.053080 IP nagios.myexternalserver.com.56233 > MYINTERALLINUXSERVER.nrpe: Flags [.], ack 217, win 237, options [nop,nop,TS val 1625546347 ecr 70947130], length 0
      22:48:52.053512 IP nagios.myexternalserver.com.56233 > MYINTERALLINUXSERVER.nrpe: Flags [P.], seq 126:252, ack 217, win 237, options [nop,nop,TS val 1625546347 ecr 70947130], length 126
      22:48:52.055051 IP MYINTERALLINUXSERVER.nrpe > nagios.myexternalserver.com.56233: Flags [P.], seq 217:443, ack 252, win 227, options [nop,nop,TS val 70947152 ecr 1625546347], length 226
      22:48:52.142924 IP nagios.myexternalserver.com.56233 > MYINTERALLINUXSERVER.nrpe: Flags [P.], seq 252:1317, ack 443, win 245, options [nop,nop,TS val 1625546369 ecr 70947152], length 1065
      22:48:52.144689 IP MYINTERALLINUXSERVER.nrpe > nagios.myexternalserver.com.56233: Flags [P.], seq 443:1508, ack 1317, win 260, options [nop,nop,TS val 70947174 ecr 1625546369], length 1065
      22:48:52.238864 IP nagios.myexternalserver.com.56233 > MYINTERALLINUXSERVER.nrpe: Flags [P.], seq 1317:1348, ack 1508, win 268, options [nop,nop,TS val 1625546393 ecr 70947174], length 31
      22:48:52.238904 IP nagios.myexternalserver.com.56233 > MYINTERALLINUXSERVER.nrpe: Flags [F.], seq 1348, ack 1508, win 268, options [nop,nop,TS val 1625546393 ecr 70947174], length 0
      22:48:52.238963 IP MYINTERALLINUXSERVER.nrpe > nagios.myexternalserver.com.56233: Flags [P.], seq 1508:1539, ack 1348, win 260, options [nop,nop,TS val 70947197 ecr 1625546393], length 31
      22:48:52.240077 IP MYINTERALLINUXSERVER.nrpe > nagios.myexternalserver.com.56233: Flags [F.], seq 1539, ack 1349, win 260, options [nop,nop,TS val 70947198 ecr 1625546393], length 0
      22:48:52.322994 IP nagios.myexternalserver.com.56233 > MYINTERALLINUXSERVER.nrpe: Flags [.], ack 1540, win 268, options [nop,nop,TS val 1625546414 ecr 70947197], length 0

      for tcpdump to internal linux box at pfsense setup:
      root@MYINTERALLINUXSERVER:/etc/nginx/sites-available# tcpdump port 5666
      tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
      listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
      22:49:39.531863 IP nagios.myexternalserver.com.52732 > MYINTERALLINUXSERVER.nrpe: Flags [S], seq 2333740221, win 29200, options [mss 1452,sackOK,TS val 1625558219 ecr 0,nop,wscale 7], length 0
      22:49:39.531925 IP MYINTERALLINUXSERVER.nrpe > nagios.myexternalserver.com.52732: Flags [S.], seq 2709812462, ack 2333740222, win 14480, options [mss 1460,sackOK,TS val 70958960 ecr 1625558219,nop,wscale 6], length 0
      22:49:40.529125 IP nagios.myexternalserver.com.52732 > MYINTERALLINUXSERVER.nrpe: Flags [S], seq 2333740221, win 29200, options [mss 1452,sackOK,TS val 1625558469 ecr 0,nop,wscale 7], length 0
      22:49:40.529165 IP MYINTERALLINUXSERVER.nrpe > nagios.myexternalserver.com.52732: Flags [S.], seq 2709812462, ack 2333740222, win 14480, options [mss 1460,sackOK,TS val 70959208 ecr 1625558219,nop,wscale 6], length 0
      22:49:40.935211 IP MYINTERALLINUXSERVER.nrpe > nagios.myexternalserver.com.52732: Flags [S.], seq 2709812462, ack 2333740222, win 14480, options [mss 1460,sackOK,TS val 70959310 ecr 1625558219,nop,wscale 6], length 0
      22:49:42.532796 IP nagios.myexternalserver.com.52732 > MYINTERALLINUXSERVER.nrpe: Flags [S], seq 2333740221, win 29200, options [mss 1452,sackOK,TS val 1625558970 ecr 0,nop,wscale 7], length 0
      22:49:42.532831 IP MYINTERALLINUXSERVER.nrpe > nagios.myexternalserver.com.52732: Flags [S.], seq 2709812462, ack 2333740222, win 14480, options [mss 1460,sackOK,TS val 70959707 ecr 1625558219,nop,wscale 6], length 0
      22:49:42.945051 IP MYINTERALLINUXSERVER.nrpe > nagios.myexternalserver.com.52732: Flags [S.], seq 2709812462, ack 2333740222, win 14480, options [mss 1460,sackOK,TS val 70959810 ecr 1625558219,nop,wscale 6], length 0
      22:49:46.540642 IP nagios.myexternalserver.com.52732 > MYINTERALLINUXSERVER.nrpe: Flags [S], seq 2333740221, win 29200, options [mss 1452,sackOK,TS val 1625559972 ecr 0,nop,wscale 7], length 0
      22:49:46.540684 IP MYINTERALLINUXSERVER.nrpe > nagios.myexternalserver.com.52732: Flags [S.], seq 2709812462, ack 2333740222, win 14480, options [mss 1460,sackOK,TS val 70960703 ecr 1625558219,nop,wscale 6], length 0
      22:49:46.968420 IP MYINTERALLINUXSERVER.nrpe > nagios.myexternalserver.com.52732: Flags [S.], seq 2709812462, ack 2333740222, win 14480, options [mss 1460,sackOK,TS val 70960810 ecr 1625558219,nop,wscale 6], length 0
      22:49:54.556556 IP nagios.myexternalserver.com.52732 > MYINTERALLINUXSERVER.nrpe: Flags [S], seq 2333740221, win 29200, options [mss 1452,sackOK,TS val 1625561976 ecr 0,nop,wscale 7], length 0
      22:49:54.556591 IP MYINTERALLINUXSERVER.nrpe > nagios.myexternalserver.com.52732: Flags [S.], seq 2709812462, ack 2333740222, win 14480, options [mss 1460,sackOK,TS val 70962697 ecr 1625558219,nop,wscale 6], length 0
      22:49:55.208335 IP MYINTERALLINUXSERVER.nrpe > nagios.myexternalserver.com.52732: Flags [S.], seq 2709812462, ack 2333740222, win 14480, options [mss 1460,sackOK,TS val 70962860 ecr 1625558219,nop,wscale 6], length 0

      As you can see at the pfsense setup missing Flags [.], ack and Flags [P.], seq that may indicate dropping packets from pfsense.

      The NAT and firewall rules are all straight forward with defaults and the pfsense logs shows that are working and pass the traffic.
      It's unlikely the simple hw router to cause the problem because it passes without problem traffic for 80 and 443 ports

      Any help is welcome ....

      Thanks,
      Nick

      1 Reply Last reply Reply Quote 0
      • K
        kyriakoy
        last edited by

        Ok, solved
        Due to the test environment, my client MYINTERALLINUXSERVER was set to wrong getaway.

        1 Reply Last reply Reply Quote 1
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.