Need help with NAT

sbrews

Screenshot 2022-12-14 at 7.31.26 PM.png

So this is what my "test" network looks like - 100% in virtual box, no access to/from world.

Forgot to add to diagram - gateway on pfsense:

Name   Default           interface   Gatewat       Description
WANGW  default (ipv4)    WAN         63.147.72.1   interface wan gw

Monitor IP (for gw) is disabled

"Internet" is connected to intnet network
Left side of linux router is connected to intnet network.
Right side of linux router is connected to rtrnet network
-- linux router has forwarding enabled via: sysctl -w net.ipv4.ip_forward=1
PFsense WAN is connected to rtrnet network
PFsense LAN is connected to lannet network
All other servers are connected to lannet network

From pfsense command line, gui command line - can successfully ssh/logon to dmz - so I know ssh is working.

From "internet" or linux router, ssh never completes... just hangs till it times out, even though pfsense fw logs shows that port 22 was allowed thru.

Since this doesnt work from "internet" or the linux router, but does from pfsense and the gui server, I figure I have done something wrong or not set something on pfsense but at a loss for what needs fixing.

Aside from pfsense, there are no other firewalls running on any of the linux servers.

My current (wrong?) understanding is that this should work... but doesnt.
Any help/pointers on what I am doing wrong/missing would be greatly appreciated.

SteveITS

@sbrews is the firewall on the DMZ server set to allow ssh from any (outside its local subnet)?

sbrews

@steveits the dmz server is not running any local firewall - IE firewalld is stopped/disabled.

SteveITS

@sbrews Can you forward ICMP and ping it? From pfSense’s point of view, all that it needs is the NAT rule and its linked firewall rule.

Edit: is the gateway/mask on DMZ server correct?

viragomann

@sbrews
There is a nice port test tool in pfSense in Diagnostic menu.

Enter the servers IP and the SSH port and hit the Test button. I expect that the test succeed.
Then change the source address to WAN and try again.
What do you get?

sbrews

For those replied /tried to help/point me in the right direction - thank you.

Going to have to put this on the back burner as I have been banging on this for a couple weeks now with no progress. The network people at my 4 letter place are not familiar with pfsense... and are busy with other things.

This is/was a pet project for me - trying to duplicate a piece of our physical environment in virtual box so I can test/experiment with things without impact on the physical environment.