SG3100 Single WAN NAT Issues.

wc2l

Hi Folks,
It is more than likely a lack of knowledge. I am trying to setup a bunch of NAT rules. The do not appear to be working. I don't think it is the same as the dual WAN issue.
Single WAN port (DHCP from ISP)
Two VLANS are configured
LAN - 172.30.30.1/24 (Wired & Wireless) WiFiGuest - 172.30.32.1/24
I have over 20 rules under Firewall - Rules
So a simple rule is my Telnet rule
Source *
Port 23
Destination 172.30.30.40
Port 23
Gateway *
Queue nine
Description Special-Telnet

There may be some other settings that I have missed. Please tell me what I'm missing or how to fix it.. I'm very new to the Netgate/pfSense world.. I appreciate the help toubleshooting

Will

mcury

@wc2l Source port should be any, it's a random port.

wc2l

Isn't that what * means?
I forgot to mention that I am running 21.2 Release

Will

mcury

@wc2l

Source *
Port 23 <<<< Source port should be any
Destination 172.30.30.40
Port 23
Gateway *

Are you trying to reach this server from WAN, or from WIFIGuest?

If you are coming from WAN, you should use the port forward tab.
If you are coming from another VLAN, you don't need NAT, just a firewall rule.

wc2l

@mcury
Thank you. I will try that shortly.. Edit the rule didn't seem to work. Mostly from the WAN (occasionally from the other VLAN). The server has a DDNS address that should get resolved.

Do you use DNS Forwarder or Resolver? Any setting suggestions?

TNX Will

mcury

From the WAN, just create a port forward, and this will generate a firewall rule automatically.
From another VLAN, just create a firewall rule allowing VLANX to reach the LAN server port 23, no NAT or port forward required.

The source port is random, so, source port should be any.

I use DNS Resolver, with the setting DNS Query Forwarding disabled.
I like this way because I'm querying the root servers directly, and my queries are being cached by DNS resolver.

One important thing to say is that leaving the port 23 opened is not a good idea, I would suggest to use SSH, with a key, disabling passwords.
Or, even better, use a VPN.

wc2l

@mcury
When I set it to any, it stopped all together. More home work ahead

mcury

@wc2l said in SG3100 Single WAN NAT Issues.:

@mcury
When I set it to any, it stopped all together. More home work ahead

Can you elaborate on it?

wc2l

@mcury My whole internet stopped..
Support told me to also get off of 21.02. I had sent an email.
Maybe I should start by going through the documentation again..
See what I missed :-(

mcury

@wc2l hm, you probably hit a bug that is happening in the sg-3100 with the 21.02 version..

More info:
https://forum.netgate.com/topic/160959/21-02-sudden-lockup/16?_=1614207358882
https://reviews.freebsd.org/D28821
https://redmine.pfsense.org/issues/11444
https://forum.netgate.com/topic/160969/upgrade-to-21-02-release-borked-on-sg-3100

The 'any' in source port wouldn't cause an outage.

There is a workaround that minimizes the chance of hitting the bug, but it does not eliminate the chance if you don't want to downgrade back to 2.4.5p1

wc2l

@mcury
I appreciate your help!! You got me on the right track!! I was able to find a couple links on what I did wrong.. It was very close!! I have the most important rules working.

To keep the network more secure, should I also include pfBlocker? I see that is similar to the blacklist. I have the last 4 firewall log entries up.. neat to see what hits you router!

Now I have to figure out why I can't get to things locally via the DDNS names (hair pinning) . I also can't get to the WEB server from one PC to another here in the house. I have created a back up of my configuration.. I will also keep this memstick version as a backup..

TNX Will

mcury

@wc2l said in SG3100 Single WAN NAT Issues.:

To keep the network more secure, should I also include pfBlocker? I see that is similar to the blacklist. I have the last 4 firewall log entries up.. neat to see what hits you router!

Sure, but not with 21.02, at least not yet.
pfBlockerNG will force firewall rules reload, and this will increase by a lot the chances to trigger the bug mentioned earlier.. If I were you, I wouldn't enable it at this moment.
Wait a little bit, Netgate is working on it.

Now I have to figure out why I can't get to things locally via the DDNS names (hair pinning) . I also can't get to the WEB server from one PC to another here in the house. I have created a back up of my configuration.. I will also keep this memstick version as a backup..

You could use split DNS, in DNS Resolver, create a host override for the DDNS, and make sure people are using pfsense's DNS server.

I also can't get to the WEB server from one PC to another here in the house.

Is the WEB server in the same subnet as the this PC?
If not, you would need to create a firewall rule to allow this access, usually on port 80 or 443.

I have created a back up of my configuration.. I will also keep this memstick version as a backup..

Always a good idea

wc2l

@mcury This work stuff keeps getting in the way of more fun stuff. I would rather learn more of this!!

They had me back rev to 2.4.5-RELEASE-p1. I think there may have been an issue with my setup as well. But it seems strange that I got it all up and running pretty quickly!

I honestly don't understand the split DNS. I have seen it mentioned.

So it for me, I want the WAN/LAN/GuestWiFi be able to resolve the DDNS name of my server. I don't care if it is telnet/http/https and etc. There is also some other stuff that I would like routed if using the IP or DDNS name.

I have like 2-4 IP addresses with different ports that get addressed.

mcury

Split DNS, let me try to explain it to you, I have never been a good person to explain things, but let me try..

Let's assume that:
Your computer is using the pfsense's DNS server, or any other DNS server that you manage there inside your network.

There, in the DNS server, you create a host override like this for an example:
www.example.com - 172.30.30.40

So, computers that are using this DNS server, when they go to www.example.com, they will get the 172.30.30.40 IP address, which is an inside IP address inside your network

Users in the Internet will use their own DNS, like google for an example.
This Google DNS will still provide them the DDNS IP address, in this case your WAN, so they can reach your port forward and reach the WEB server, or any other server you configured.

INTERNET -> Public DNS - Resolve to your DDNS - Go to your WAN IP.

Your subnets -> Local DNS - Resolve to your local IP - Go directly to the server.

wc2l

@mcury I think I get it..
So Services / DNS Resolver / Access Lists
Access name: www.example.com
Action Allow
Description Example
Neworks 172.25.25.1/24

Not sure how I would be able to tell some services to go to one location and other services to another location.

mcury

Services > DNS Resolver > Host Overrides (at the bottom).
Not in access lists.

@wc2l said in SG3100 Single WAN NAT Issues.:

Not sure how I would be able to tell some services to go to one location and other services to another location.

Can you elaborate about it ?

wc2l

@mcury Of course I can...
172.30.30.40 - 23, 80, 88, 443, 13064, 11111.
172.30.30.30 - 223, 18080, 5095, 13010
17230.30.50 - 13064,

I think that explains it ;-) There are some more.. That was just some examples of what is happening

mcury

@wc2l said in SG3100 Single WAN NAT Issues.:

172.30.30.40 - 23, 80, 88, 443, 13064, 11111.
172.30.30.30 - 223, 18080, 5095, 13010
17230.30.50 - 13064,

Well, if I understood correctly, you have a few services running..

Speaking about port 23 in host 172.30.30.40 in this example:

If you set a port forward like this:
Note: Don't recommend you to have ports opened to the internet due to security concerns.

Source *
Port 23 <<<< Source port should be any
Destination 172.30.30.40
Port 23

Users would telnet to your DDNS name, reach your WAN on port 23, and be forwarded to your server 172.30.30.40 on port 23 (Remember that source port should be any).

The same applies to all your servers mentioned in your last post.

One thing to note here is that you have two servers running the same port 13064.

In this case, you would have to, or change the port forward from outside, let's say to 13065.
Or change the port that the service is running and mirror that on the port forward.

wc2l

@mcury The twin port #s was a mistake.. I was just making a quick example. So if I switch the WAN Source port from any to a defined port will work? I still need to add the DDNS info to the Resolver portion so things work internally and externally

mcury

@wc2l said in SG3100 Single WAN NAT Issues.:

So if I switch the WAN Source port from any to a defined port will work? I still need to add the DDNS info to the Resolver portion so things work internally and externally

The source port should always be 'any', only in a very rare cases that you can define a source port.

Your OS is responsible for generating a random source port every time a connection starts.
What doesn't change is the destination port.

Remember, source port is generated randomly, so you can't guess what's going to be.