Using Virtual IP and port forwarding

Agustinp · May 14, 2020, 12:42 PM

Hi, maybe I'll ask something dumb as I'm starting now with pfsense, but tried to find an answer on the forum and the only one having the same problem didn't receive a solution.

First I'll explain my network configuration:

I have an ISP router with a LAN of 172.26.10.0/24 and ip 172.26.10.1, behind it I have the pfsense machine with a wan ip 172.26.10.69 and LAN ip 192.16.10.69, inside that LAN I have a machine 192.16.10.171.

My intention is to forward ports for the inside servers to access them from the internet, but right now I'm testing with that machine and once I can get it working I'll replicate it for the servers. So I made a test with RDP (I know RDP from internet is a crime, but it's just for test purposes).
I created a Virtual IP 172.26.10.70 and then a port forward rule using the virtual IP WAN address. (Created also a port forward on the ISP router for 172.26.10.70:3389)
When I try to connect from an internet machine, it doesn't work. But if I try from a machine on the ISP router LAN, it works perfectly.

Also, if I change the port forward and instead of using the Virtual IP I use the WAN address 172.26.10.69, it works from the internet machine without problems (forwarding ISP router to 172.26.10.69:3389 ofc).

So...what is going on? I checked the firewall logs, and it shows the connection attempt with a PASS, so it should work, but it doesn't.
The only thing that maybe is breaking the connection is the source port on the log, I can see a different randomly generated source port with each attempt, something like:
xx.xx.xx.xx:51138 192.16.10.171:3389 TCP:S
xx.xx.xx.xx:51144 192.16.10.171:3389 TCP:S

Any help please?

NogBadTheBad · May 14, 2020, 12:50 PM

You'll have problems port forwarding RFC 1918 address space from the ISP router to RFC 1918 address space on your pfSense on your LAN.

Put your ISP router into modem mode if you can.

Agustinp · May 14, 2020, 12:58 PM

@NogBadTheBad Thanks for the answer.

So..is there any solution for those problems with RFC1918 addresses? I can't put my ISP router into bridge mode. My only option for now is to redirect everything to the pfsense WAN address and then forward it to the LAN, but I would like to use Virtual IPs.

NogBadTheBad · May 14, 2020, 1:06 PM

@Agustinp said in Using Virtual IP and port forwarding:

TCP:S

You could try DMZ mode on the ISP router pointing to your pfSense WAN interface.

Have you tried talking to your ISP re modem mode ?

Agustinp · May 14, 2020, 1:15 PM

@NogBadTheBad I activated DMZ to 172.26.10.69 on the ISP router, and still the same...
I can't configure it in modem mode/bridge mode.

Bob.Dig · May 14, 2020, 1:19 PM

For what is a virtual-IP needed?

Agustinp · May 14, 2020, 1:25 PM

@Bob-Dig Because I wan't something like a static NAT for inside hosts.

For example in this case, I know I could just forward everything to the WAN address of the pfsense., then manage the diferent port NATs to the LAN.

But I come from a cisco enviroment where I had a static NAT for each host, so I'm used to that scenario.