Ah, the tedium - Port Forwarding HTTP goes to pfSense?

chrisjx

WAN1 = Comcast dynamic - 15-20 Mbps
WAN2 = DSL w/ 3 fixed IPs (64.17.88.222, .114, .127) - 1.2 Mbps - publicly available IIS server

I was running Smoothwall on a single DSL. Very straight forward.  Now trying to get the Multi-WAN setup on pfSense.

I ran instructions from the MultiWan Version 1.2 document and I can browse the internet from my PCs behind the firewall.  WooHoo!

Decided to go with no load balancing as the Cable service is so much faster and was having issues w/ youtube and many retries on various sites.  I simply removed the OPT1 reference from the LoadBalance pool.  Seems better.  Not sure of the failover status.

Now I am trying to get access on the 1st fixed IP on WAN2 to go to my web server running IIS.  When I access the IP (from inside the LAN) I get to the authentication login for pfSence WebGUI.  Nothing tried so far gets me to my web site.

I have the Port Forward setup going from WAN2 (specifying the fixed external IP) to 192.168.0 61.  I had the check box selected to create the firewall rule (which it did).  It all seems straight ahead but I've spent a lot of time so I must ask for help from the experts.

I have included what I assume are pertinent sections below.

I thank whoever can understand this.

Thank you,
Chris.

<system><optimization>normal</optimization>
<hostname>pfsense</hostname>
<domain>Donkey.local</domain>
<username>admin</username>
<password>voodoo</password>
<timezone>America/Los_Angeles</timezone>
<time-update-interval><timeservers>0.pfsense.pool.ntp.org</timeservers>
<webgui><protocol>http</protocol>
<port><certificate><private-key></private-key></certificate></port></webgui>
<ssh><authorizedkeys></authorizedkeys></ssh>
<maximumstates><shapertype><dnsserver>76.87.68.182</dnsserver> (from COMCast)
<dnsserver>69.81.44.2</dnsserver>    (from DSL service)</shapertype></maximumstates></time-update-interval></system>

<interfaces><lan><if>fxp0</if>
<ipaddr>192.168.0.1</ipaddr>
<subnet>24</subnet>
<media><mediaopt><bandwidth>100</bandwidth>
<bandwidthtype>Mb</bandwidthtype></mediaopt></media></lan>
<wan><if>xl0</if>
<mtu><blockpriv>on</blockpriv>
<media><mediaopt><bandwidth>100</bandwidth>
<bandwidthtype>Mb</bandwidthtype>
<spoofmac><blockbogons>on</blockbogons>
<disableftpproxy><ipaddr>dhcp</ipaddr>
<dhcphostname>pfSense</dhcphostname>
<subnet><gateway></gateway></subnet></disableftpproxy></spoofmac></mediaopt></media></mtu></wan>
<opt1><if>fxp1</if>
<descr>WAN2</descr>
<bridge><enable><ipaddr>64.17.88.222</ipaddr>
<spoofmac><mtu><subnet>24</subnet>
<gateway>64.17.88.1</gateway>
<disableftpproxy></disableftpproxy></mtu></spoofmac></enable></bridge></opt1></interfaces>

<dhcpd><lan><enable><range><from>192.168.0.10</from>
<to>192.168.0.49</to></range>
<defaultleasetime><maxleasetime><netmask><failover_peerip><gateway><ddnsdomain><next-server><filename><staticmap><mac>00:1e:2a:3f:71:ac</mac>
<ipaddr>192.168.0.51</ipaddr>
<hostname>MyWay</hostname>
<descr>Old Web Server</descr></staticmap>
<staticmap><mac>00:50:bf:96:83:b3</mac>
<ipaddr>192.168.0.52</ipaddr>
<hostname>MyBase</hostname>
<descr>Old Data Server</descr></staticmap>
<staticmap><mac>00:14:d1:18:46:8f</mac>
<ipaddr>192.168.0.53</ipaddr>
<hostname>MyWill</hostname>
<descr>Music Station</descr></staticmap>
<staticmap><mac>00:03:ff:00:a3:02</mac>
<ipaddr>192.168.0.61</ipaddr>
<hostname>MyPort</hostname>
<descr>Web Server - Windows Virtual Sever 2003</descr></staticmap>
<staticmap><mac>00:03:ff:07:a3:02</mac>
<ipaddr>192.168.0.62</ipaddr>
<hostname>MyZone</hostname>
<descr>Data Server - Windows Virtual Sever 2003</descr></staticmap>
<staticmap><mac>00:14:d1:18:44:6d</mac>
<ipaddr>192.168.0.64</ipaddr>
<hostname>MyHold</hostname>
<descr>Backup Server</descr></staticmap></filename></next-server></ddnsdomain></gateway></failover_peerip></netmask></maxleasetime></defaultleasetime></enable></lan></dhcpd>

<nat><ipsecpassthru><enable></enable></ipsecpassthru>
<advancedoutbound><rule><external-address>64.17.88.222</external-address>
<protocol>tcp</protocol>
<external-port>80</external-port>
<target>MyPort</target>
<local-port>80</local-port>
<interface>opt1</interface>
<descr>Donkey.com to IIS on MyPort</descr></rule></advancedoutbound></nat>
<filter><rule><type>pass</type>
<interface>opt1</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol>
<source>
<any><destination><address>MyPort</address>

<port>80</port></destination>
<log><descr>NAT Donkey.com to IIS on MyPort</descr></log></any></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>pass</type>
<interface>lan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><source>
<network>lan</network>

<destination><address>192.168.0.0/24</address></destination>
<log><descr>Make sure DMZ1 traffic goes to the right interface</descr></log></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>pass</type>
<interface>lan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><source>
<network>lan</network>

<destination><network>opt1</network></destination>
<log><descr>Make sure DMZ2 traffic goes to WAN2 DMZ</descr></log></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>pass</type>
<interface>lan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><source>
<network>lan</network>

<destination><any></any></destination>
<descr>Everything Else Gets shared out</descr>
<gateway>LoadBalance</gateway></os></statetimeout></max-src-states></max-src-nodes></rule></filter>

<aliases><alias><name>MyPort</name>

<address>192.168.0.61/32</address>

<descr><type>network</type>
<detail>MyPort ||</detail></descr></alias>
<alias><name>MyWay</name>

<address>192.168.0.51/32</address>

<descr><type>network</type>
<detail>MyWay||</detail></descr></alias>
<alias><name>Donkey_Com</name>

<address>64.17.88.222/24</address>

<descr><type>network</type>
<detail>Donkey.com||</detail></descr></alias>
<alias><name>Donkey_Org</name>

<address>64.17.88.127/24</address>

<descr><type>network</type>
<detail>Donkey.org||</detail></descr></alias>
<alias><name>Sparkcles_Net</name>

<address>64.17.88.114/24</address>

<descr><type>network</type>
<detail>Sparkles.net||</detail></descr></alias></aliases>

<load_balancer><lbpool><type>gateway</type>
<behaviour>balance</behaviour>
<monitorip><name>LoadBalance</name>
<desc>Round Robin load balancing - Comcast only</desc>
<port><servers>wan|76.87.68.182</servers></port></monitorip></lbpool>
<lbpool><type>gateway</type>
<behaviour>failover</behaviour>
<monitorip><name>WAN1FailsToWAN2</name>
<desc>WAN2 preferred when WAN1 fails</desc>
<port><servers>opt1|69.81.44.2</servers>
<servers>wan|76.87.68.182</servers></port></monitorip></lbpool>
<lbpool><type>gateway</type>
<behaviour>failover</behaviour>
<monitorip>69.81.44.2</monitorip>
<name>WAN2FailsToWAN1</name>
<desc>WAN1 preferred when WAN2 fails</desc>
<port><servers>wan|76.87.68.182</servers>
<servers>opt1|69.81.44.2</servers></port></lbpool></load_balancer>
<virtualip><vip><mode>proxyarp</mode>
<interface>opt1</interface>
<descr>Sparkles.net on WAN2</descr>
<type>single</type>
<subnet_bits>32</subnet_bits>
<subnet>64.17.88.114</subnet></vip>
<vip><mode>proxyarp</mode>
<interface>opt1</interface>
<descr>Donkey.org on WAN2</descr>
<type>single</type>
<subnet_bits>32</subnet_bits>
<subnet>64.17.88.127</subnet></vip>
<vip><mode>proxyarp</mode>
<interface>opt1</interface>
<descr>Donkey.com on WAN2</descr>
<type>single</type>
<subnet_bits>32</subnet_bits>
<subnet>64.17.88.222</subnet></vip></virtualip>

MyConfig.txt

chrisjx

OK, so I changed the port access for the WebGUI to :83.  Now I'm not getting to the WebGUI when I access the default http port 80.

But, now it times out looking for my IIS server.

Any advice out there?

Here's the NAT:

MyPort is the alias to the IIS portal server
donkey.com is the fake domain name on my fixed IP DSL service on WAN2/OPT1

<nat><ipsecpassthru><enable></enable></ipsecpassthru>
      <advancedoutbound><rule><external-address>64.17.88.222</external-address>
        <protocol>tcp</protocol>
        <external-port>80</external-port>
        <target>MyPort</target>
        <local-port>80</local-port>
        <interface>opt1</interface>
        <descr>Donkey.com to IIS on MyPort</descr></rule></advancedoutbound></nat>

Here's the rule:

<rule><type>pass</type>
        <interface>opt1</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os><protocol>tcp</protocol>
        <source>
            <any><destination><address>MyPort</address>

<port>80</port></destination>
        <log><descr>NAT Donkey.com to IIS on MyPort</descr></log></any></os></statetimeout></max-src-states></max-src-nodes></rule>

Briantist

Instead of using a network type alias and specifying a /32 why not use a host type alias? I have no idea if this is the issue, but it stood out at me. Also, I can't speak for anyone else but for me screenshots are easier to read than direct XML config.

chrisjx

Hallelujah…  Briantist, you're "the man".  That worked.

Subtle/arcane info makes all the difference.

Thank you.

I will post pictures for any future help.  It would be really cool if there was a tag we could add to the xml config content which would color code it and make it easier to read.  When posting pics, I get nervous about displaying real info (seems like an invite to hackers) so then you have to go in and cover critical info in a graphics program.

Anyway, thanks, thanks, thanks.

Briantist

Great! Glad I could help. It jumped out at me because I've seen that using aliases in NAT rules doesn't always turn out as expected!