NAT to FreeIPA
-
Hello!
I am installing freeipa server on Rocky Linux that is behind the pfsense. All installation process was works nice. So open ports that are used by freeipa services:
tcp ports:
firewall-cmd --permanent --add-port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,464/tcp,53/tcp,8099/tcp}Udp ports:
firewall-cmd --permanent --add-port={80/udp,464/udp,53/udp,123/udp,8099/udp}The port 8099 is configured in NAT to internal server (10.1.1.x)
The subdomain is answering nice and ok, checking with command nslookup 10.1.1.x and nslookup my_subdomain. I checked with my site provider and all working well.But when did NAT to FreeIPA server, I cannot make access in there.
How can fix this? Is it error Nat configuration?
Someone can Help, please?Thank you
Douglas -
@doguibnu
Did you restart firewalld on the server after adding to rules? Otherwise they won't take effect.Did you also add a firewall rule on pfSense to pass the packets back to the server? You can also do this directly in the NAT rule at "Filter rule association".
-
@viragomann said in NAT to FreeIPA:
@doguibnu
Did you restart firewalld on the server after adding to rules? Otherwise they won't take effect.Yes, firewall-cmd --list-all
code_text ```firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: ens18 sources: services: cockpit dhcpv6-client dns freeipa-4 http https kerberos kpasswd ldap ldaps ntp ssh ports: protocols: forward: no masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules: ``` code_text
Did you also add a firewall rule on pfSense to pass the packets back to the server? You can also do this directly in the NAT rule at "Filter rule association".
Yes, I did, but It still does not accept
On Firefox it shows:
```This site was not found. We were unable to connect to the server at my_subdomain If this address is correct, here are other things you can try: Try again later. Check your network connection. If you are logged in behind a firewall, make sure Firefox is allowed to access the web.```
So, I "freeze" here and I am lost for many days!
Thank you for attention !
-
@doguibnu
On pfSense you can sniff the traffic (Diagnostics > Packet Capture) to check if the packets are forwarded properly.Select the interface facing to the server, enter the protocol and port for filtering to avoid useless noise. Start the capture and trigger an access from outside.
In case you get nothing, sniff the packets on the incoming interface to ensure, that the packets are arriving on pfSense at all.