Port forward won't forward gateway's packets
-
I have the WAN connection connected to an internet gateway using my WAN subnet. I've also connected a workstation to the internet gateway using a LAN subnet and the gateway as a router. Everything works properly, except for NAT port forwarding. 1:1 nat mappings work correctly. However, when PFsense receives traffic from the gateway (coming from gateway's WAN IP) which should match a port forward rule, it drops it. Traffic coming from other IP's on the same interface does get forwarded. Is there any way to fix this?
-
Can you be more specific?
-
I'm not sure how. Traffic coming in on a WAN interface will get forwarded by port forwarding rules unless it is coming from the same IP configured as the interface's gateway. 1:1 nat mappings work in this situation, though.
-
A diagram and maybe interface listing, rules, etc…
-
WAN2 IP: xxx.xxx.xxx.225/29
WAN2 gateway: xxx.xxx.xxx.230NAT port forward:
xxx.xxx.xxx.226 -> 192.168.0.1 1194/UDP1:1 NAT mapping
xxx.xxx.xxx.228 -> 192.168.0.11connection attempts on WAN2:
xxx.xxx.xxx.230 -> xxx.xxx.xxx.226 = dropped
anything else -> xxx.xxx.xxx.226 = forwarded
xxx.xxx.xxx.230 -> xxx.xxx.xxx.228 = forwarded
anything else -> xxx.xxx.xxx.228 = forwarded -
Is it showing as blocked in the firewall logs?
-
Sorry, I just remembered that the domain for my mail server (the only server that uses a 1:1 NAT rule) resolves to an IP belonging to my WAN interface, not WAN2. There is a 1:1 NAT mapping for each interface. The reason it works is not because it is a 1:1 NAT rule, but because it is connecting to a WAN IP on the WAN2 interface. If I try the 1:1 NAT server's WAN2 IP, I cannot connect. If I connect to a port forwarded server on its WAN IP, it does work.
The traffic does not show up in the firewall log. The firewall rules specify a LAN address for the destination, so the NAT rules still work when traffic destined for a WAN IP is received on the WAN2 interface, but not when it is destined for a WAN2 IP and the source is WAN2's gateway (or perhaps any IP in the subnet).
I think this may not be a PFsense issue, but the xxx.xxx.xxx.230 gateway perhaps not routing traffic back to pfsense. I will see if I can determine that.
-
OK, I figured it out. I thought the traffic was being routed by the gateway so the source IP was the gateway IP since the mail server said traffic was coming from that IP. Since that traffic was actually going to a WAN IP (not WAN2), it was coming from the gateway since it was getting routing across the net between our 2 ISP's. For traffic actually going to a WAN2 IP, it was getting sent to PFSense from the system's LAN IP, which was being filtered since LAN IP's shouldn't be received on a WAN interface. If I allow the gateway's subnet in WAN2's firewall rules, then it works.
Sorry for the confusion, bothering you with a problem unrelated to PFsense. I should've realized this earlier.