Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Ah, the tedium - Port Forwarding HTTP goes to pfSense?

    NAT
    2
    5
    4224
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      chrisjx last edited by

      WAN1 = Comcast dynamic - 15-20 Mbps
      WAN2 = DSL w/ 3 fixed IPs (64.17.88.222, .114, .127) - 1.2 Mbps - publicly available IIS server

      I was running Smoothwall on a single DSL. Very straight forward.  Now trying to get the Multi-WAN setup on pfSense.

      I ran instructions from the MultiWan Version 1.2 document and I can browse the internet from my PCs behind the firewall.  WooHoo!

      Decided to go with no load balancing as the Cable service is so much faster and was having issues w/ youtube and many retries on various sites.  I simply removed the OPT1 reference from the LoadBalance pool.  Seems better.  Not sure of the failover status.

      Now I am trying to get access on the 1st fixed IP on WAN2 to go to my web server running IIS.  When I access the IP (from inside the LAN) I get to the authentication login for pfSence WebGUI.  Nothing tried so far gets me to my web site.

      I have the Port Forward setup going from WAN2 (specifying the fixed external IP) to 192.168.0 61.  I had the check box selected to create the firewall rule (which it did).  It all seems straight ahead but I've spent a lot of time so I must ask for help from the experts.

      I have included what I assume are pertinent sections below.

      I thank whoever can understand this.

      Thank you,
      Chris.

      <system><optimization>normal</optimization>
      <hostname>pfsense</hostname>
      <domain>Donkey.local</domain>
      <username>admin</username>
      <password>voodoo</password>
      <timezone>America/Los_Angeles</timezone>
      <time-update-interval><timeservers>0.pfsense.pool.ntp.org</timeservers>
      <webgui><protocol>http</protocol>
      <port><certificate><private-key></private-key></certificate></port></webgui>
      <ssh><authorizedkeys></authorizedkeys></ssh>
      <maximumstates><shapertype><dnsserver>76.87.68.182</dnsserver> (from COMCast)
      <dnsserver>69.81.44.2</dnsserver>    (from DSL service)</shapertype></maximumstates></time-update-interval></system>

      <interfaces><lan><if>fxp0</if>
      <ipaddr>192.168.0.1</ipaddr>
      <subnet>24</subnet>
      <media><mediaopt><bandwidth>100</bandwidth>
      <bandwidthtype>Mb</bandwidthtype></mediaopt></media></lan>
      <wan><if>xl0</if>
      <mtu><blockpriv>on</blockpriv>
      <media><mediaopt><bandwidth>100</bandwidth>
      <bandwidthtype>Mb</bandwidthtype>
      <spoofmac><blockbogons>on</blockbogons>
      <disableftpproxy><ipaddr>dhcp</ipaddr>
      <dhcphostname>pfSense</dhcphostname>
      <subnet><gateway></gateway></subnet></disableftpproxy></spoofmac></mediaopt></media></mtu></wan>
      <opt1><if>fxp1</if>
      <descr>WAN2</descr>
      <bridge><enable><ipaddr>64.17.88.222</ipaddr>
      <spoofmac><mtu><subnet>24</subnet>
      <gateway>64.17.88.1</gateway>
      <disableftpproxy></disableftpproxy></mtu></spoofmac></enable></bridge></opt1></interfaces>

      <dhcpd><lan><enable><range><from>192.168.0.10</from>
      <to>192.168.0.49</to></range>
      <defaultleasetime><maxleasetime><netmask><failover_peerip><gateway><ddnsdomain><next-server><filename><staticmap><mac>00:1e:2a:3f:71:ac</mac>
      <ipaddr>192.168.0.51</ipaddr>
      <hostname>MyWay</hostname>
      <descr>Old Web Server</descr></staticmap>
      <staticmap><mac>00:50:bf:96:83:b3</mac>
      <ipaddr>192.168.0.52</ipaddr>
      <hostname>MyBase</hostname>
      <descr>Old Data Server</descr></staticmap>
      <staticmap><mac>00:14:d1:18:46:8f</mac>
      <ipaddr>192.168.0.53</ipaddr>
      <hostname>MyWill</hostname>
      <descr>Music Station</descr></staticmap>
      <staticmap><mac>00:03:ff:00:a3:02</mac>
      <ipaddr>192.168.0.61</ipaddr>
      <hostname>MyPort</hostname>
      <descr>Web Server - Windows Virtual Sever 2003</descr></staticmap>
      <staticmap><mac>00:03:ff:07:a3:02</mac>
      <ipaddr>192.168.0.62</ipaddr>
      <hostname>MyZone</hostname>
      <descr>Data Server - Windows Virtual Sever 2003</descr></staticmap>
      <staticmap><mac>00:14:d1:18:44:6d</mac>
      <ipaddr>192.168.0.64</ipaddr>
      <hostname>MyHold</hostname>
      <descr>Backup Server</descr></staticmap></filename></next-server></ddnsdomain></gateway></failover_peerip></netmask></maxleasetime></defaultleasetime></enable></lan></dhcpd>

      <nat><ipsecpassthru><enable></enable></ipsecpassthru>
      <advancedoutbound><rule><external-address>64.17.88.222</external-address>
      <protocol>tcp</protocol>
      <external-port>80</external-port>
      <target>MyPort</target>
      <local-port>80</local-port>
      <interface>opt1</interface>
      <descr>Donkey.com to IIS on MyPort</descr></rule></advancedoutbound></nat>
      <filter><rule><type>pass</type>
      <interface>opt1</interface>
      <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
      <os><protocol>tcp</protocol>
      <source>
      <any><destination><address>MyPort</address>

      <port>80</port></destination>
      <log><descr>NAT Donkey.com to IIS on MyPort</descr></log></any></os></statetimeout></max-src-states></max-src-nodes></rule>
      <rule><type>pass</type>
      <interface>lan</interface>
      <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
      <os><source>
      <network>lan</network>

      <destination><address>192.168.0.0/24</address></destination>
      <log><descr>Make sure DMZ1 traffic goes to the right interface</descr></log></os></statetimeout></max-src-states></max-src-nodes></rule>
      <rule><type>pass</type>
      <interface>lan</interface>
      <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
      <os><source>
      <network>lan</network>

      <destination><network>opt1</network></destination>
      <log><descr>Make sure DMZ2 traffic goes to WAN2 DMZ</descr></log></os></statetimeout></max-src-states></max-src-nodes></rule>
      <rule><type>pass</type>
      <interface>lan</interface>
      <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
      <os><source>
      <network>lan</network>

      <destination><any></any></destination>
      <descr>Everything Else Gets shared out</descr>
      <gateway>LoadBalance</gateway></os></statetimeout></max-src-states></max-src-nodes></rule></filter>

      <aliases><alias><name>MyPort</name>

      <address>192.168.0.61/32</address>

      <descr><type>network</type>
      <detail>MyPort ||</detail></descr></alias>
      <alias><name>MyWay</name>

      <address>192.168.0.51/32</address>

      <descr><type>network</type>
      <detail>MyWay||</detail></descr></alias>
      <alias><name>Donkey_Com</name>

      <address>64.17.88.222/24</address>

      <descr><type>network</type>
      <detail>Donkey.com||</detail></descr></alias>
      <alias><name>Donkey_Org</name>

      <address>64.17.88.127/24</address>

      <descr><type>network</type>
      <detail>Donkey.org||</detail></descr></alias>
      <alias><name>Sparkcles_Net</name>

      <address>64.17.88.114/24</address>

      <descr><type>network</type>
      <detail>Sparkles.net||</detail></descr></alias></aliases>

      <load_balancer><lbpool><type>gateway</type>
      <behaviour>balance</behaviour>
      <monitorip><name>LoadBalance</name>
      <desc>Round Robin load balancing - Comcast only</desc>
      <port><servers>wan|76.87.68.182</servers></port></monitorip></lbpool>
      <lbpool><type>gateway</type>
      <behaviour>failover</behaviour>
      <monitorip><name>WAN1FailsToWAN2</name>
      <desc>WAN2 preferred when WAN1 fails</desc>
      <port><servers>opt1|69.81.44.2</servers>
      <servers>wan|76.87.68.182</servers></port></monitorip></lbpool>
      <lbpool><type>gateway</type>
      <behaviour>failover</behaviour>
      <monitorip>69.81.44.2</monitorip>
      <name>WAN2FailsToWAN1</name>
      <desc>WAN1 preferred when WAN2 fails</desc>
      <port><servers>wan|76.87.68.182</servers>
      <servers>opt1|69.81.44.2</servers></port></lbpool></load_balancer>
      <virtualip><vip><mode>proxyarp</mode>
      <interface>opt1</interface>
      <descr>Sparkles.net on WAN2</descr>
      <type>single</type>
      <subnet_bits>32</subnet_bits>
      <subnet>64.17.88.114</subnet></vip>
      <vip><mode>proxyarp</mode>
      <interface>opt1</interface>
      <descr>Donkey.org on WAN2</descr>
      <type>single</type>
      <subnet_bits>32</subnet_bits>
      <subnet>64.17.88.127</subnet></vip>
      <vip><mode>proxyarp</mode>
      <interface>opt1</interface>
      <descr>Donkey.com on WAN2</descr>
      <type>single</type>
      <subnet_bits>32</subnet_bits>
      <subnet>64.17.88.222</subnet></vip></virtualip>

      MyConfig.txt

      1 Reply Last reply Reply Quote 0
      • C
        chrisjx last edited by

        OK, so I changed the port access for the WebGUI to :83.  Now I'm not getting to the WebGUI when I access the default http port 80.

        But, now it times out looking for my IIS server.

        Any advice out there?

        Here's the NAT:

        MyPort is the alias to the IIS portal server
        donkey.com is the fake domain name on my fixed IP DSL service on WAN2/OPT1

        <nat><ipsecpassthru><enable></enable></ipsecpassthru>
              <advancedoutbound><rule><external-address>64.17.88.222</external-address>
                <protocol>tcp</protocol>
                <external-port>80</external-port>
                <target>MyPort</target>
                <local-port>80</local-port>
                <interface>opt1</interface>
                <descr>Donkey.com to IIS on MyPort</descr></rule></advancedoutbound></nat>

        Here's the rule:

        <rule><type>pass</type>
                <interface>opt1</interface>
                <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
                <os><protocol>tcp</protocol>
                <source>
                    <any><destination><address>MyPort</address>

        <port>80</port></destination>
                <log><descr>NAT Donkey.com to IIS on MyPort</descr></log></any></os></statetimeout></max-src-states></max-src-nodes></rule>

        1 Reply Last reply Reply Quote 0
        • B
          Briantist last edited by

          Instead of using a network type alias and specifying a /32 why not use a host type alias? I have no idea if this is the issue, but it stood out at me. Also, I can't speak for anyone else but for me screenshots are easier to read than direct XML config.

          1 Reply Last reply Reply Quote 0
          • C
            chrisjx last edited by

            Hallelujah…  Briantist, you're "the man".  That worked.

            Subtle/arcane info makes all the difference.

            Thank you.

            I will post pictures for any future help.  It would be really cool if there was a tag we could add to the xml config content which would color code it and make it easier to read.  When posting pics, I get nervous about displaying real info (seems like an invite to hackers) so then you have to go in and cover critical info in a graphics program.

            Anyway, thanks, thanks, thanks.

            1 Reply Last reply Reply Quote 0
            • B
              Briantist last edited by

              Great! Glad I could help. It jumped out at me because I've seen that using aliases in NAT rules doesn't always turn out as expected!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post

              Products

              • Platform Overview
              • TNSR
              • pfSense
              • Appliances

              Services

              • Training
              • Professional Services

              Support

              • Subscription Plans
              • Contact Support
              • Product Lifecycle
              • Documentation

              News

              • Media Coverage
              • Press
              • Events

              Resources

              • Blog
              • FAQ
              • Find a Partner
              • Resource Library
              • Security Information

              Company

              • About Us
              • Careers
              • Partners
              • Contact Us
              • Legal
              Our Mission

              We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

              Subscribe to our Newsletter

              Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

              © 2021 Rubicon Communications, LLC | Privacy Policy