• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Azure simple Port Forwarding

Scheduled Pinned Locked Moved NAT
6 Posts 3 Posters 778 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • R
    raymosely
    last edited by Aug 21, 2019, 9:01 PM

    Hi, all
    I am new to pfSense. Cisco ASA background is strong. I need to do a simple port forward and cannot get it to work.
    I set up a pfSense appliance in Azure from the Azure Marketplace. I added a second NIC.
    [Azure sets up a Public IP address which is not directly assigned to the first NIC. Azure creates an IP address and then
    NATs it to the private IP address of the first NIC.]
    So I have Public IP address > Private IP address > [pfSense] > 2nd NIC
    where the second NIC is on either the same subnet as the WAN NIC or on a different subnet.
    The port forward for this is 3389. I am logging a TCP SYN, but nothing after that. In a packet capture, I see the incoming
    RDP requests and nothing going out.
    I am using the instructions from the pfSense help pages and various blogs.
    Is there anyone with Azure experience who can shed light on this?

    1 Reply Last reply Reply Quote 0
    • K
      KOM
      last edited by Aug 21, 2019, 9:52 PM

      Do you have WAN set to ignore private networks, which is the default? Your NAT won't accept traffic if the Block Private networks option is enabled, which is what sounds like might be happening in your case.

      1 Reply Last reply Reply Quote 0
      • R
        raymosely
        last edited by Aug 22, 2019, 12:29 AM

        I have tried this setting both ways. The Azure appliance defaults to not block private IP's. I have bogons only blocked.

        1 Reply Last reply Reply Quote 0
        • C
          chpalmer
          last edited by Aug 22, 2019, 12:47 AM

          So you did a packet capture of the WAN interface??

          Did you also do a packet capture on the LAN interface?

          Triggering snowflakes one by one..
          Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

          1 Reply Last reply Reply Quote 0
          • R
            raymosely
            last edited by Aug 22, 2019, 1:52 AM

            Honestly, I would not expect anything to traverse a firewall to another port without a complete TCP handshake. So no, I had not tried a packet capture on the LAN interface. I did just now, and nothing showed up.

            1 Reply Last reply Reply Quote 0
            • R
              raymosely
              last edited by Aug 22, 2019, 6:43 PM

              I now have a SYN packet passing through the NAT rule to the LAN NIC. I am NATting to a Windows VM in Azure. I added Wireshark to that VM. The SYN packet never reaches the VM.
              Also, I can ping the LAN NIC from the VM (I added a firewall rule), and I can ping the VM from the pfSense server using an SSH connection.
              On the Azure VM network security group, I have opened access to anything from the Azure local vnet.
              On the Azure VM, I have disabled the Windows Firewall.
              On the pfSense LAN NIC, I have added a firewall rule to allow all TCP traffic.

              So it looks like the packets to be NATted are being blocked on the way out of the LAN NIC.
              Any ideas? anyone?

              1 Reply Last reply Reply Quote 0
              1 out of 6
              • First post
                1/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received