Ah, the tedium - Port Forwarding HTTP goes to pfSense?



  • WAN1 = Comcast dynamic - 15-20 Mbps
    WAN2 = DSL w/ 3 fixed IPs (64.17.88.222, .114, .127) - 1.2 Mbps - publicly available IIS server

    I was running Smoothwall on a single DSL. Very straight forward.  Now trying to get the Multi-WAN setup on pfSense.

    I ran instructions from the MultiWan Version 1.2 document and I can browse the internet from my PCs behind the firewall.  WooHoo!

    Decided to go with no load balancing as the Cable service is so much faster and was having issues w/ youtube and many retries on various sites.  I simply removed the OPT1 reference from the LoadBalance pool.  Seems better.  Not sure of the failover status.

    Now I am trying to get access on the 1st fixed IP on WAN2 to go to my web server running IIS.  When I access the IP (from inside the LAN) I get to the authentication login for pfSence WebGUI.  Nothing tried so far gets me to my web site.

    I have the Port Forward setup going from WAN2 (specifying the fixed external IP) to 192.168.0 61.  I had the check box selected to create the firewall rule (which it did).  It all seems straight ahead but I've spent a lot of time so I must ask for help from the experts.

    I have included what I assume are pertinent sections below.

    I thank whoever can understand this.

    Thank you,
    Chris.

    <system><optimization>normal</optimization>
    <hostname>pfsense</hostname>
    <domain>Donkey.local</domain>
    <username>admin</username>
    <password>voodoo</password>
    <timezone>America/Los_Angeles</timezone>
    <time-update-interval><timeservers>0.pfsense.pool.ntp.org</timeservers>
    <webgui><protocol>http</protocol>
    <port><certificate><private-key></private-key></certificate></port></webgui>
    <ssh><authorizedkeys></authorizedkeys></ssh>
    <maximumstates><shapertype><dnsserver>76.87.68.182</dnsserver> (from COMCast)
    <dnsserver>69.81.44.2</dnsserver>    (from DSL service)</shapertype></maximumstates></time-update-interval></system>

    <interfaces><lan><if>fxp0</if>
    <ipaddr>192.168.0.1</ipaddr>
    <subnet>24</subnet>
    <media><mediaopt><bandwidth>100</bandwidth>
    <bandwidthtype>Mb</bandwidthtype></mediaopt></media></lan>
    <wan><if>xl0</if>
    <mtu><blockpriv>on</blockpriv>
    <media><mediaopt><bandwidth>100</bandwidth>
    <bandwidthtype>Mb</bandwidthtype>
    <spoofmac><blockbogons>on</blockbogons>
    <disableftpproxy><ipaddr>dhcp</ipaddr>
    <dhcphostname>pfSense</dhcphostname>
    <subnet><gateway></gateway></subnet></disableftpproxy></spoofmac></mediaopt></media></mtu></wan>
    <opt1><if>fxp1</if>
    <descr>WAN2</descr>
    <bridge><enable><ipaddr>64.17.88.222</ipaddr>
    <spoofmac><mtu><subnet>24</subnet>
    <gateway>64.17.88.1</gateway>
    <disableftpproxy></disableftpproxy></mtu></spoofmac></enable></bridge></opt1></interfaces>

    <dhcpd><lan><enable><range><from>192.168.0.10</from>
    <to>192.168.0.49</to></range>
    <defaultleasetime><maxleasetime><netmask><failover_peerip><gateway><ddnsdomain><next-server><filename><staticmap><mac>00:1e:2a:3f:71:ac</mac>
    <ipaddr>192.168.0.51</ipaddr>
    <hostname>MyWay</hostname>
    <descr>Old Web Server</descr></staticmap>
    <staticmap><mac>00:50:bf:96:83:b3</mac>
    <ipaddr>192.168.0.52</ipaddr>
    <hostname>MyBase</hostname>
    <descr>Old Data Server</descr></staticmap>
    <staticmap><mac>00:14:d1:18:46:8f</mac>
    <ipaddr>192.168.0.53</ipaddr>
    <hostname>MyWill</hostname>
    <descr>Music Station</descr></staticmap>
    <staticmap><mac>00:03:ff:00:a3:02</mac>
    <ipaddr>192.168.0.61</ipaddr>
    <hostname>MyPort</hostname>
    <descr>Web Server - Windows Virtual Sever 2003</descr></staticmap>
    <staticmap><mac>00:03:ff:07:a3:02</mac>
    <ipaddr>192.168.0.62</ipaddr>
    <hostname>MyZone</hostname>
    <descr>Data Server - Windows Virtual Sever 2003</descr></staticmap>
    <staticmap><mac>00:14:d1:18:44:6d</mac>
    <ipaddr>192.168.0.64</ipaddr>
    <hostname>MyHold</hostname>
    <descr>Backup Server</descr></staticmap></filename></next-server></ddnsdomain></gateway></failover_peerip></netmask></maxleasetime></defaultleasetime></enable></lan></dhcpd>

    <nat><ipsecpassthru><enable></enable></ipsecpassthru>
    <advancedoutbound><rule><external-address>64.17.88.222</external-address>
    <protocol>tcp</protocol>
    <external-port>80</external-port>
    <target>MyPort</target>
    <local-port>80</local-port>
    <interface>opt1</interface>
    <descr>Donkey.com to IIS on MyPort</descr></rule></advancedoutbound></nat>
    <filter><rule><type>pass</type>
    <interface>opt1</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>
    <any><destination><address>MyPort</address>

    <port>80</port></destination>
    <log><descr>NAT Donkey.com to IIS on MyPort</descr></log></any></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>lan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><source>
    <network>lan</network>

    <destination><address>192.168.0.0/24</address></destination>
    <log><descr>Make sure DMZ1 traffic goes to the right interface</descr></log></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>lan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><source>
    <network>lan</network>

    <destination><network>opt1</network></destination>
    <log><descr>Make sure DMZ2 traffic goes to WAN2 DMZ</descr></log></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>lan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><source>
    <network>lan</network>

    <destination><any></any></destination>
    <descr>Everything Else Gets shared out</descr>
    <gateway>LoadBalance</gateway></os></statetimeout></max-src-states></max-src-nodes></rule></filter>

    <aliases><alias><name>MyPort</name>

    <address>192.168.0.61/32</address>

    <descr><type>network</type>
    <detail>MyPort ||</detail></descr></alias>
    <alias><name>MyWay</name>

    <address>192.168.0.51/32</address>

    <descr><type>network</type>
    <detail>MyWay||</detail></descr></alias>
    <alias><name>Donkey_Com</name>

    <address>64.17.88.222/24</address>

    <descr><type>network</type>
    <detail>Donkey.com||</detail></descr></alias>
    <alias><name>Donkey_Org</name>

    <address>64.17.88.127/24</address>

    <descr><type>network</type>
    <detail>Donkey.org||</detail></descr></alias>
    <alias><name>Sparkcles_Net</name>

    <address>64.17.88.114/24</address>

    <descr><type>network</type>
    <detail>Sparkles.net||</detail></descr></alias></aliases>

    <load_balancer><lbpool><type>gateway</type>
    <behaviour>balance</behaviour>
    <monitorip><name>LoadBalance</name>
    <desc>Round Robin load balancing - Comcast only</desc>
    <port><servers>wan|76.87.68.182</servers></port></monitorip></lbpool>
    <lbpool><type>gateway</type>
    <behaviour>failover</behaviour>
    <monitorip><name>WAN1FailsToWAN2</name>
    <desc>WAN2 preferred when WAN1 fails</desc>
    <port><servers>opt1|69.81.44.2</servers>
    <servers>wan|76.87.68.182</servers></port></monitorip></lbpool>
    <lbpool><type>gateway</type>
    <behaviour>failover</behaviour>
    <monitorip>69.81.44.2</monitorip>
    <name>WAN2FailsToWAN1</name>
    <desc>WAN1 preferred when WAN2 fails</desc>
    <port><servers>wan|76.87.68.182</servers>
    <servers>opt1|69.81.44.2</servers></port></lbpool></load_balancer>
    <virtualip><vip><mode>proxyarp</mode>
    <interface>opt1</interface>
    <descr>Sparkles.net on WAN2</descr>
    <type>single</type>
    <subnet_bits>32</subnet_bits>
    <subnet>64.17.88.114</subnet></vip>
    <vip><mode>proxyarp</mode>
    <interface>opt1</interface>
    <descr>Donkey.org on WAN2</descr>
    <type>single</type>
    <subnet_bits>32</subnet_bits>
    <subnet>64.17.88.127</subnet></vip>
    <vip><mode>proxyarp</mode>
    <interface>opt1</interface>
    <descr>Donkey.com on WAN2</descr>
    <type>single</type>
    <subnet_bits>32</subnet_bits>
    <subnet>64.17.88.222</subnet></vip></virtualip>

    MyConfig.txt



  • OK, so I changed the port access for the WebGUI to :83.  Now I'm not getting to the WebGUI when I access the default http port 80.

    But, now it times out looking for my IIS server.

    Any advice out there?

    Here's the NAT:

    MyPort is the alias to the IIS portal server
    donkey.com is the fake domain name on my fixed IP DSL service on WAN2/OPT1

    <nat><ipsecpassthru><enable></enable></ipsecpassthru>
          <advancedoutbound><rule><external-address>64.17.88.222</external-address>
            <protocol>tcp</protocol>
            <external-port>80</external-port>
            <target>MyPort</target>
            <local-port>80</local-port>
            <interface>opt1</interface>
            <descr>Donkey.com to IIS on MyPort</descr></rule></advancedoutbound></nat>

    Here's the rule:

    <rule><type>pass</type>
            <interface>opt1</interface>
            <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
            <os><protocol>tcp</protocol>
            <source>
                <any><destination><address>MyPort</address>

    <port>80</port></destination>
            <log><descr>NAT Donkey.com to IIS on MyPort</descr></log></any></os></statetimeout></max-src-states></max-src-nodes></rule>



  • Instead of using a network type alias and specifying a /32 why not use a host type alias? I have no idea if this is the issue, but it stood out at me. Also, I can't speak for anyone else but for me screenshots are easier to read than direct XML config.



  • Hallelujah…  Briantist, you're "the man".  That worked.

    Subtle/arcane info makes all the difference.

    Thank you.

    I will post pictures for any future help.  It would be really cool if there was a tag we could add to the xml config content which would color code it and make it easier to read.  When posting pics, I get nervous about displaying real info (seems like an invite to hackers) so then you have to go in and cover critical info in a graphics program.

    Anyway, thanks, thanks, thanks.



  • Great! Glad I could help. It jumped out at me because I've seen that using aliases in NAT rules doesn't always turn out as expected!


Log in to reply