NAT driving me NUTS!



  • Hi All,

    I'm at the verge of going bald here, so I really hope one of you knowledgeable peeps can give me a helping hand.

    I have installed pfsense on a server that has two network cards. One is directly connected to the internet (212.69.10.xxx / 255.255.255.0) and the other is the internal network (192.168.1.xxx / 255.255.255.0).

    What I am trying to do is forward everything that comes in on port 80 and 443 to an internal server on address 192.168.1.80.

    I have opened up the firewall to allow these ports through. This i definitely know works, because first of all on visiting http://212.69.10.xxx externally I was taken to the pfsense admin panel. I thought this may have caused issues further down the line so I changed the pfsense admin port to 9090. I also checked the firewall logs and saw that the rules were working in there and allowing traffic through.

    HOWEVER, getting the incoming traffic on 80 and 443 redirected to my internal IP 192.168.1.80 is proving IMPOSSIBLE.

    I set up the NAT (port forwarding rules) to forward anything on the mentioned ports to the internal IP address. Yet when i browse to http://212.69.10.xxx now I get a timeout and not the web page hosted on the server behind the firewall.

    The pfsense server can definitely see the web server as it can ping it, and also from the pfsense command console I can telnet to the server on port 80. So connectivity definitely isn't an issue here.

    As a further test, i formatted the server with Windows 2008 Server, configured the firewall and installed a port forwarding program. This worked perfectly…so there's got to be something in pfsense i'm missing.

    Please help before find the nearest bridge and throw myself off!



  • I went through the same thing the first time I got pfsense and tried to setup a webserver behind that pfsense box. To make sure I don't forget anything I am going to start from the top:

    Go to Firewall -> NAT -> and add a port forward rule
                       Interface = WAN
                       External address = Interface Address
                       External Port range = 80 to 80
                       NAT IP = Webserver IP
                       Local Port = 80
                       Check 'Auto Add firewall rule'
    Click Save.

    Now you have a NAT rule and a Firewall rule.

    Go to System -> Advanced
                      Look for the NAT Section (towards the bottom)
                      Uncheck 'Disable NAT Reflection'
                      Click Save

    Good Luck.



  • Cheers for the reply. I did come across another thread suggesting unticking that option and gave it a try for myself. Unfortunately it didn't make any difference.

    But, I'm going to have pf a fresh install and try again from scratch. I've played with so many options that the install is probably tainted now.



  • Sorry for double post but still no luck I'm afraid. Exactly the same issue as before :(

    Firewall allows the traffic through, then NAT just doesnt direct it where its told :(

    EDIT:

    I'm not sure if this means anything, but while hunting through the diagnostic tools I saw this in the 'States' section while trying to connect to the webserver:

    tcp 192.168.1.80:80 <- 212.69.10.xxx:80 <- 212.69.52.xxx:52457

    (the 212.69.52.xxx address is the external ip address of my laptop)


  • Rebel Alliance Developer Netgate

    Sounds like your firewall rule is the issue.

    If you "opened up" port 80 and got the WebGUI, you likely had a destination address of the WAN interface IP, and not the internal IP of the web server.

    The firewall rule should allow traffic from * to <web server="" lan="" ip="">port 80. (and 443).

    Give that a try and see if it helps.</web>



  • At the time I had no NAT set up at all. So i'm guessing in the absence of any NAT rules the Firewall simply opens up the ports and any incoming requests are just served by pfsense (hence me getting the Webgui). I'll post screenshots of my config in a mo

    EDIT:



  • OK I'm really clutching at straws now…

    To check that it wasn't anything weird to do with both my external and internal IPs having the same subnet, I changed my internal network to 10.x.x.x and set up a server with SSH installed. I did port forwarding and firewall rules for port 22 and STILL no joy. I wasn't able to connect.

    This log in States disgnostic looks interesting tho:

    tcp  10.0.0.1:22 <- 212.69.10.xxx:22 <- 212.69.52.xxx:53301  CLOSED:SYN_SENT 
    tcp 212.69.52.xxx:53301 -> 10.0.0.1:22 SYN_SENT:CLOSED



  • Try these steps. Let me know if you still cannot get it working.

    http://doc.pfsense.org/index.php/Port_Forward_Troubleshooting



  • The only condition that I can see I don't meet is the Gateway for my internal machines being set to the pfsense server. I can't really change these as I will loose connectivity to more important things.

    Is there any way I can get round this? I was able to port forward using a Windows Server without any configuration changes to any of my machines.



  • Hmmm. Maybe static routes?
    I tried to do just that a long time ago and never got it working. I had to configure my server with pfsense as the default gateway. I hope you can figure it out. I am sure someone on this forum must know.



  • So do i understand you correct, that you have 2 routers in your network and pfSense is not the default gateway?
    In this case the observed behaviour is how it should be.

    You could get around this by enabling sourceNAT on the pfSense.
    For the server this essentially means, all traffic comming from the internet would seem as its comming from the pfSense.
    Thus to traffic comming in from the portforward would be replied to the pfSense and not to the default gateway.

    To enable source NAT:
    Enable advanced outbound NAT and copy the autocreated rule for the WAN.
    Set in the copy as
    Interface: LAN
    Source: any



  • @GruensFroeschli:

    So do i understand you correct, that you have 2 routers in your network and pfSense is not the default gateway?
    In this case the observed behaviour is how it should be.

    Yep indeed I do. To be honest I could get rid of the other router config once I have PFSense configured correctly. But changing it beforehand would render me unable to access the machine to make the change (hope that makes sense!)

    @GruensFroeschli:

    You could get around this by enabling sourceNAT on the pfSense.
    For the server this essentially means, all traffic comming from the internet would seem as its comming from the pfSense.
    Thus to traffic comming in from the portforward would be replied to the pfSense and not to the default gateway.

    To enable source NAT:
    Enable advanced outbound NAT and copy the autocreated rule for the WAN.
    Set in the copy as
    Interface: LAN
    Source: any

    Great stuff. I'll give that a shot.



  • Actually, sorry for being dumb - you lost me on the last bit.

    I've set it to Advanced Outbound NAT and it created an "Autocreated rule for LAN". What else should I add now?



  • Can you show a screenshot of your advanced outbound rules?


Log in to reply