NAT driving me NUTS!

jimxms

Hi All,

I'm at the verge of going bald here, so I really hope one of you knowledgeable peeps can give me a helping hand.

I have installed pfsense on a server that has two network cards. One is directly connected to the internet (212.69.10.xxx / 255.255.255.0) and the other is the internal network (192.168.1.xxx / 255.255.255.0).

What I am trying to do is forward everything that comes in on port 80 and 443 to an internal server on address 192.168.1.80.

I have opened up the firewall to allow these ports through. This i definitely know works, because first of all on visiting http://212.69.10.xxx externally I was taken to the pfsense admin panel. I thought this may have caused issues further down the line so I changed the pfsense admin port to 9090. I also checked the firewall logs and saw that the rules were working in there and allowing traffic through.

HOWEVER, getting the incoming traffic on 80 and 443 redirected to my internal IP 192.168.1.80 is proving IMPOSSIBLE.

I set up the NAT (port forwarding rules) to forward anything on the mentioned ports to the internal IP address. Yet when i browse to http://212.69.10.xxx now I get a timeout and not the web page hosted on the server behind the firewall.

The pfsense server can definitely see the web server as it can ping it, and also from the pfsense command console I can telnet to the server on port 80. So connectivity definitely isn't an issue here.

As a further test, i formatted the server with Windows 2008 Server, configured the firewall and installed a port forwarding program. This worked perfectly…so there's got to be something in pfsense i'm missing.

Please help before find the nearest bridge and throw myself off!

tommyboy180

I went through the same thing the first time I got pfsense and tried to setup a webserver behind that pfsense box. To make sure I don't forget anything I am going to start from the top:

Go to Firewall -> NAT -> and add a port forward rule
                   Interface = WAN
                   External address = Interface Address
                   External Port range = 80 to 80
                   NAT IP = Webserver IP
                   Local Port = 80
                   Check 'Auto Add firewall rule'
Click Save.

Now you have a NAT rule and a Firewall rule.

Go to System -> Advanced
                  Look for the NAT Section (towards the bottom)
                  Uncheck 'Disable NAT Reflection'
                  Click Save

Good Luck.

jimxms

Cheers for the reply. I did come across another thread suggesting unticking that option and gave it a try for myself. Unfortunately it didn't make any difference.

But, I'm going to have pf a fresh install and try again from scratch. I've played with so many options that the install is probably tainted now.

jimxms

Sorry for double post but still no luck I'm afraid. Exactly the same issue as before :(

Firewall allows the traffic through, then NAT just doesnt direct it where its told :(

EDIT:

I'm not sure if this means anything, but while hunting through the diagnostic tools I saw this in the 'States' section while trying to connect to the webserver:

tcp 192.168.1.80:80 <- 212.69.10.xxx:80 <- 212.69.52.xxx:52457

(the 212.69.52.xxx address is the external ip address of my laptop)

jimp

Sounds like your firewall rule is the issue.

If you "opened up" port 80 and got the WebGUI, you likely had a destination address of the WAN interface IP, and not the internal IP of the web server.

The firewall rule should allow traffic from * to <web server="" lan="" ip="">port 80. (and 443).

Give that a try and see if it helps.</web>

jimxms

At the time I had no NAT set up at all. So i'm guessing in the absence of any NAT rules the Firewall simply opens up the ports and any incoming requests are just served by pfsense (hence me getting the Webgui). I'll post screenshots of my config in a mo

EDIT:

jimxms

OK I'm really clutching at straws now…

To check that it wasn't anything weird to do with both my external and internal IPs having the same subnet, I changed my internal network to 10.x.x.x and set up a server with SSH installed. I did port forwarding and firewall rules for port 22 and STILL no joy. I wasn't able to connect.

This log in States disgnostic looks interesting tho:

tcp  10.0.0.1:22 <- 212.69.10.xxx:22 <- 212.69.52.xxx:53301  CLOSED:SYN_SENT 
tcp 212.69.52.xxx:53301 -> 10.0.0.1:22 SYN_SENT:CLOSED

tommyboy180

Try these steps. Let me know if you still cannot get it working.

http://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

jimxms

The only condition that I can see I don't meet is the Gateway for my internal machines being set to the pfsense server. I can't really change these as I will loose connectivity to more important things.

Is there any way I can get round this? I was able to port forward using a Windows Server without any configuration changes to any of my machines.

tommyboy180

Hmmm. Maybe static routes?
I tried to do just that a long time ago and never got it working. I had to configure my server with pfsense as the default gateway. I hope you can figure it out. I am sure someone on this forum must know.

GruensFroeschli

So do i understand you correct, that you have 2 routers in your network and pfSense is not the default gateway?
In this case the observed behaviour is how it should be.

You could get around this by enabling sourceNAT on the pfSense.
For the server this essentially means, all traffic comming from the internet would seem as its comming from the pfSense.
Thus to traffic comming in from the portforward would be replied to the pfSense and not to the default gateway.

To enable source NAT:
Enable advanced outbound NAT and copy the autocreated rule for the WAN.
Set in the copy as
Interface: LAN
Source: any

jimxms

@GruensFroeschli:

So do i understand you correct, that you have 2 routers in your network and pfSense is not the default gateway?
In this case the observed behaviour is how it should be.

Yep indeed I do. To be honest I could get rid of the other router config once I have PFSense configured correctly. But changing it beforehand would render me unable to access the machine to make the change (hope that makes sense!)

@GruensFroeschli:

You could get around this by enabling sourceNAT on the pfSense.
For the server this essentially means, all traffic comming from the internet would seem as its comming from the pfSense.
Thus to traffic comming in from the portforward would be replied to the pfSense and not to the default gateway.

To enable source NAT:
Enable advanced outbound NAT and copy the autocreated rule for the WAN.
Set in the copy as
Interface: LAN
Source: any

Great stuff. I'll give that a shot.

jimxms

Actually, sorry for being dumb - you lost me on the last bit.

I've set it to Advanced Outbound NAT and it created an "Autocreated rule for LAN". What else should I add now?

GruensFroeschli

Can you show a screenshot of your advanced outbound rules?