Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    NAT driving me NUTS!

    NAT
    4
    14
    4961
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jimxms last edited by

      Hi All,

      I'm at the verge of going bald here, so I really hope one of you knowledgeable peeps can give me a helping hand.

      I have installed pfsense on a server that has two network cards. One is directly connected to the internet (212.69.10.xxx / 255.255.255.0) and the other is the internal network (192.168.1.xxx / 255.255.255.0).

      What I am trying to do is forward everything that comes in on port 80 and 443 to an internal server on address 192.168.1.80.

      I have opened up the firewall to allow these ports through. This i definitely know works, because first of all on visiting http://212.69.10.xxx externally I was taken to the pfsense admin panel. I thought this may have caused issues further down the line so I changed the pfsense admin port to 9090. I also checked the firewall logs and saw that the rules were working in there and allowing traffic through.

      HOWEVER, getting the incoming traffic on 80 and 443 redirected to my internal IP 192.168.1.80 is proving IMPOSSIBLE.

      I set up the NAT (port forwarding rules) to forward anything on the mentioned ports to the internal IP address. Yet when i browse to http://212.69.10.xxx now I get a timeout and not the web page hosted on the server behind the firewall.

      The pfsense server can definitely see the web server as it can ping it, and also from the pfsense command console I can telnet to the server on port 80. So connectivity definitely isn't an issue here.

      As a further test, i formatted the server with Windows 2008 Server, configured the firewall and installed a port forwarding program. This worked perfectly…so there's got to be something in pfsense i'm missing.

      Please help before find the nearest bridge and throw myself off!

      1 Reply Last reply Reply Quote 0
      • T
        tommyboy180 last edited by

        I went through the same thing the first time I got pfsense and tried to setup a webserver behind that pfsense box. To make sure I don't forget anything I am going to start from the top:

        Go to Firewall -> NAT -> and add a port forward rule
                           Interface = WAN
                           External address = Interface Address
                           External Port range = 80 to 80
                           NAT IP = Webserver IP
                           Local Port = 80
                           Check 'Auto Add firewall rule'
        Click Save.

        Now you have a NAT rule and a Firewall rule.

        Go to System -> Advanced
                          Look for the NAT Section (towards the bottom)
                          Uncheck 'Disable NAT Reflection'
                          Click Save

        Good Luck.

        -Tom Schaefer
        SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

        Please support pfBlocker | File Browser | Strikeback

        1 Reply Last reply Reply Quote 0
        • J
          jimxms last edited by

          Cheers for the reply. I did come across another thread suggesting unticking that option and gave it a try for myself. Unfortunately it didn't make any difference.

          But, I'm going to have pf a fresh install and try again from scratch. I've played with so many options that the install is probably tainted now.

          1 Reply Last reply Reply Quote 0
          • J
            jimxms last edited by

            Sorry for double post but still no luck I'm afraid. Exactly the same issue as before :(

            Firewall allows the traffic through, then NAT just doesnt direct it where its told :(

            EDIT:

            I'm not sure if this means anything, but while hunting through the diagnostic tools I saw this in the 'States' section while trying to connect to the webserver:

            tcp 192.168.1.80:80 <- 212.69.10.xxx:80 <- 212.69.52.xxx:52457

            (the 212.69.52.xxx address is the external ip address of my laptop)

            1 Reply Last reply Reply Quote 0
            • jimp
              jimp Rebel Alliance Developer Netgate last edited by

              Sounds like your firewall rule is the issue.

              If you "opened up" port 80 and got the WebGUI, you likely had a destination address of the WAN interface IP, and not the internal IP of the web server.

              The firewall rule should allow traffic from * to <web server="" lan="" ip="">port 80. (and 443).

              Give that a try and see if it helps.</web>

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • J
                jimxms last edited by

                At the time I had no NAT set up at all. So i'm guessing in the absence of any NAT rules the Firewall simply opens up the ports and any incoming requests are just served by pfsense (hence me getting the Webgui). I'll post screenshots of my config in a mo

                EDIT:

                1 Reply Last reply Reply Quote 0
                • J
                  jimxms last edited by

                  OK I'm really clutching at straws now…

                  To check that it wasn't anything weird to do with both my external and internal IPs having the same subnet, I changed my internal network to 10.x.x.x and set up a server with SSH installed. I did port forwarding and firewall rules for port 22 and STILL no joy. I wasn't able to connect.

                  This log in States disgnostic looks interesting tho:

                  tcp  10.0.0.1:22 <- 212.69.10.xxx:22 <- 212.69.52.xxx:53301  CLOSED:SYN_SENT 
                  tcp 212.69.52.xxx:53301 -> 10.0.0.1:22 SYN_SENT:CLOSED

                  1 Reply Last reply Reply Quote 0
                  • T
                    tommyboy180 last edited by

                    Try these steps. Let me know if you still cannot get it working.

                    http://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

                    -Tom Schaefer
                    SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

                    Please support pfBlocker | File Browser | Strikeback

                    1 Reply Last reply Reply Quote 0
                    • J
                      jimxms last edited by

                      The only condition that I can see I don't meet is the Gateway for my internal machines being set to the pfsense server. I can't really change these as I will loose connectivity to more important things.

                      Is there any way I can get round this? I was able to port forward using a Windows Server without any configuration changes to any of my machines.

                      1 Reply Last reply Reply Quote 0
                      • T
                        tommyboy180 last edited by

                        Hmmm. Maybe static routes?
                        I tried to do just that a long time ago and never got it working. I had to configure my server with pfsense as the default gateway. I hope you can figure it out. I am sure someone on this forum must know.

                        -Tom Schaefer
                        SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

                        Please support pfBlocker | File Browser | Strikeback

                        1 Reply Last reply Reply Quote 0
                        • GruensFroeschli
                          GruensFroeschli last edited by

                          So do i understand you correct, that you have 2 routers in your network and pfSense is not the default gateway?
                          In this case the observed behaviour is how it should be.

                          You could get around this by enabling sourceNAT on the pfSense.
                          For the server this essentially means, all traffic comming from the internet would seem as its comming from the pfSense.
                          Thus to traffic comming in from the portforward would be replied to the pfSense and not to the default gateway.

                          To enable source NAT:
                          Enable advanced outbound NAT and copy the autocreated rule for the WAN.
                          Set in the copy as
                          Interface: LAN
                          Source: any

                          We do what we must, because we can.

                          Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                          1 Reply Last reply Reply Quote 0
                          • J
                            jimxms last edited by

                            @GruensFroeschli:

                            So do i understand you correct, that you have 2 routers in your network and pfSense is not the default gateway?
                            In this case the observed behaviour is how it should be.

                            Yep indeed I do. To be honest I could get rid of the other router config once I have PFSense configured correctly. But changing it beforehand would render me unable to access the machine to make the change (hope that makes sense!)

                            @GruensFroeschli:

                            You could get around this by enabling sourceNAT on the pfSense.
                            For the server this essentially means, all traffic comming from the internet would seem as its comming from the pfSense.
                            Thus to traffic comming in from the portforward would be replied to the pfSense and not to the default gateway.

                            To enable source NAT:
                            Enable advanced outbound NAT and copy the autocreated rule for the WAN.
                            Set in the copy as
                            Interface: LAN
                            Source: any

                            Great stuff. I'll give that a shot.

                            1 Reply Last reply Reply Quote 0
                            • J
                              jimxms last edited by

                              Actually, sorry for being dumb - you lost me on the last bit.

                              I've set it to Advanced Outbound NAT and it created an "Autocreated rule for LAN". What else should I add now?

                              1 Reply Last reply Reply Quote 0
                              • GruensFroeschli
                                GruensFroeschli last edited by

                                Can you show a screenshot of your advanced outbound rules?

                                We do what we must, because we can.

                                Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post