Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT to FreeIPA

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 1.0k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • doguibnuD Offline
      doguibnu
      last edited by

      Hello!

      I am installing freeipa server on Rocky Linux that is behind the pfsense. All installation process was works nice. So open ports that are used by freeipa services:

      tcp ports:
      firewall-cmd --permanent --add-port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,464/tcp,53/tcp,8099/tcp}

      Udp ports:
      firewall-cmd --permanent --add-port={80/udp,464/udp,53/udp,123/udp,8099/udp}

      The port 8099 is configured in NAT to internal server (10.1.1.x)
      The subdomain is answering nice and ok, checking with command nslookup 10.1.1.x and nslookup my_subdomain. I checked with my site provider and all working well.

      But when did NAT to FreeIPA server, I cannot make access in there.

      How can fix this? Is it error Nat configuration?
      Someone can Help, please?

      Thank you
      Douglas

      V 1 Reply Last reply Reply Quote 0
      • V Offline
        viragomann @doguibnu
        last edited by

        @doguibnu
        Did you restart firewalld on the server after adding to rules? Otherwise they won't take effect.

        Did you also add a firewall rule on pfSense to pass the packets back to the server? You can also do this directly in the NAT rule at "Filter rule association".

        doguibnuD 1 Reply Last reply Reply Quote 0
        • doguibnuD Offline
          doguibnu @viragomann
          last edited by

          @viragomann said in NAT to FreeIPA:

          @doguibnu
          Did you restart firewalld on the server after adding to rules? Otherwise they won't take effect.

          Yes, firewall-cmd --list-all

          code_text
```firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens18
  sources: 
  services: cockpit dhcpv6-client dns freeipa-4 http https kerberos kpasswd ldap ldaps ntp ssh
  ports: 
  protocols: 
  forward: no
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: ```
code_text

          Did you also add a firewall rule on pfSense to pass the packets back to the server? You can also do this directly in the NAT rule at "Filter rule association".

          Yes, I did, but It still does not accept

          On Firefox it shows:

          
```This site was not found.

We were unable to connect to the server at my_subdomain

If this address is correct, here are other things you can try:

    Try again later.
    Check your network connection.
    If you are logged in behind a firewall, make sure Firefox is allowed to access the web.```

          So, I "freeze" here and I am lost for many days!

          Thank you for attention !

          V 1 Reply Last reply Reply Quote 0
          • V Offline
            viragomann @doguibnu
            last edited by

            @doguibnu
            On pfSense you can sniff the traffic (Diagnostics > Packet Capture) to check if the packets are forwarded properly.

            Select the interface facing to the server, enter the protocol and port for filtering to avoid useless noise. Start the capture and trigger an access from outside.

            In case you get nothing, sniff the packets on the incoming interface to ensure, that the packets are arriving on pfSense at all.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.