Port Forwarding with Virtual IPs and multiple external static IPs



  • I'm trying to setup a basic port forward but I'm having some issues.  Here is our setup:

    We have 5 external static IPs.  Right now, I'm just trying to do some testing with only one of them:

    160.173.63.140
    

    Traffic to this IP goes directly into our pfSense firewall.

    I want to setup a port forward for port 22, so when someone accesses:

    160.173.63.140:22, it forwards to 192.168.10.2:22
    

    The first thing I did was add 160.173.63.140 as a Virtual IP (the pfSense WAN address is 10.1.20.2).  It's set as Proxy ARP, WAN Interface, Single Address.

    Next I went to Firewall > NAT > Port Forwarding and added the following:

    Interface: WAN
    External Address: 160.173.63.140 () (my virtual IP)
    Proto: TCP
    Ext Port Range: 22 (SSH)
    NAT IP:  192.168.10.2
    Local Port: 22 (SSH)
    
    

    I had it automatically create the proper firewall rule:

    WAN
    Proto: TCP
    Source: *
    Port: *
    Destination: 192.168.10.2
    Port: 22 (SSH)
    Gateway: *
    Schedule: 
    

    Now when I'm on an external network and I attempt to SSH to 160.173.63.140:22, the pfSense Firewall Log says that its blocking it, it says this:

    If: WAN
    Source: 166.205.12.204:19898 (this is just my iphone's IP address on AT&T I guess)
    Destination: 10.1.10.2:22
    Proto: TCP:S
    

    So I can see that it's obviously blocking the request, but I'm not sure why.  Why does it think that the destination is the WAN interface address (10.1.20.2)?  I thought the port forwarding rules would make the destination 192.168.10.2…..

    If anyone could give me some advice or direction on this I'd appreciate it!

    I can post screenshots if necessary!



  • If you go to the WAN config page: Do you have the "Block private networks" checkbox active?



  • Yes I did, and I assume that was blocking something because of the 10/8 address space.

    However, I unchecked this now, but I'm still getting the same result in the firewall log.

    If: WAN
    Source: 166.205.12.204:43936
    Destination: 10.1.10.2:22
    Proto: TCP:S
    

    Any thoughts?  Thanks for the reply, btw.



  • If you click on the red x on the left side, a window will appear telling you which rule blocked the connection.
    Which one was that?



  • It's blocked by the "Default Deny Rule"



  • FYI, I added in a rule on the WAN to accept ICMP ping requests, so when I ping the external address from outside the network, it responds properly and I see the packet show up in the Firewall log for the ping.

    So this tells me that there is no routing issue with my modem or anything like that.  Traffic to that external address is in fact going straight to my pfSense box.  It's just this port forwarding stuff that isn't working.



  • Just for kicks, I added a new WAN rule (and removed my port forwarding stuff):

    TCP
    Source: any
    Port: 22
    Dest: WAN address
    Port: 22
    

    So this rule SHOULD allow me to SSH directly to my pfSense box from outside our network.  Right?  Sounds straightforward.

    When I attempt to SSH to port 22 of our external static IP, it gets blocked.  And the pfSense firewall log shows the following entries being blocked:

    Interface: WAN
    Source: <my external="" ip="">
    Destination: 10.1.10.2:22 (this is my WAN interface address)
    Proto: TCP:S
    
    They are all being blocked by the "Default Deny Rule".</my>
    

    So what is going on here?  What in the heck is taking precedence over my rules and is STILL blocking access here?  Is pfSense just totally broken or what is going on?

    Here is my raw log entry for this:

    pf: 7\. 845149 rule 62/0(match): block in on em0: (tos 0x20, ttl 49, id 1423, offset 0, flags [DF], proto TCP (6), length 48) 166.205.14.221.43356 > 10.1.10.2.22: S, cksum 0x65d4 (correct), 2638483020:2638483020(0) win 65535 
    


  • Ssh connections are not sourced from port 22 but from a random port in range 1024-65535, change the source port to "any" in your rule
    (this also applies to about any other protocol out there).



  • Okay ya that makes sense.  But what about the port forwarding?  I can't leave the external port range as 'any'.

    This is all I'm trying to setup:

    160.173.63.140:22 > Modem > pfSense > 192.168.10.2:22



  • Is the modem forwarding the ports to pfSense's wan ip? Your setup could be lot easier if you could eliminate NAT on the modem and set it up in bridging mode and have public IP directly at pfSense's WAN interface.



  • @kpa:

    Is the modem forwarding the ports to pfSense's wan ip? Your setup could be lot easier if you could eliminate NAT on the modem and set it up in bridging mode and have public IP directly at pfSense's WAN interface.

    We have multiple external static IPs.  So NAT is necessary at the modem at this point.  However I'm only trying to deal with one IP at this point in time while I test pfSense.

    I simply have the modem setup to point the external IP mentioned above to goto my pfSense box.  And I can confirm that this does work, as I opened up port 22 on the WAN interface. I was able to successfully SSH into the pfSense box from outside the network buy accessing that external IP address, port 22.  So in summary, I'm quite sure that the modem is NOT part of the issue here…

    Are there particular screenshots or something I could post to help you understand my pfSense settings?


  • Rebel Alliance Developer Netgate

    Having multiple static IPs does not mean you must do NAT on your modem. In fact it makes it harder.

    Usually the source address on such a rule would be 'any' or an IP range. The source address will not be your external IP or your modem, but whatever IP is used by the remote client.



  • I agree, however the reason I have a basic NAT setup on the modem is because we are running multiple firewalls at the moment.

    See, I am testing pfSense with the ultimate goal or replacing our current firewall.  Therefore, I have to have both of the firewalls hooked up to the modem at the same time, so that the company can continue to function, while I am testing the pfSense box.  So NATing one of our static addresses at the modem to point to the pfSense box, and letting the rest of the addresses goto the current firewall is a necessity at this point.

    What do I need to post in order for you guys to see the problem with my pfSense setup.  I feel like this is the last big hurtle I need to get past before I can really move forward with the intent of using pfSense as a full time solution….  Help please.


  • Rebel Alliance Developer Netgate

    Are the PCs you have behind pfSense actually using it as their gateway? That would be another reason things would not work properly.

    Your description of the setup keeps getting messier. There are way too many things to go wrong there. Asymmetric routing, misconfigured nat/firewall rules, etc, etc. We'd need screencaps of the VIP config, NAT config, Firewall rules, firewall logs, etc. Not copy/paste or retyped, actual screencaps, and more info on how the LAN and clients are configured.



  • Okay I'll get those screenshots put together in a few.

    Yes, for testing purposes I only have 2 machines setup to use pfSense as their gateway.



  • Okay here come the screenshots

    My Interfaces
    10.1.10.1 is the IP address of our Comcast Business Class Cable Modem.

    XXX.XXX.63.140 is one of our external static IP addresses that Comcast has assigned to us.  On the cable modem, I have a simple 1-to-1 NAT setup to forward all XXX.XXX.63.140 traffic –> 10.1.10.2 (the IP address of the WAN interface on the pfSense machine)

    This is the only Virtual IP I have setup in pfSense.

    Here in this log, you can see the entries from me on my iPhone trying to SSH into XXX.XXX.63.140 port 22.  You can also see the rule that is blocking it.

    192.168.10.2 does have SSH enabled and the firewall isn't block it, etc etc.  I can SSH into it from within the network no problem.  I can even SSH to it from the pfSense box.  So an SSH connection from pfSense -> 192.168.10.2 works.  It's just pfSense that is blocking it.

    Here's a basic network setup around the firewall



  • your comcast router will handout 10.1.10.x address if you connect a DHCP client to it but it can also handle static IPs at the same time.

    However, for your setup you should really set your firewalls WAN to use your static public IPs and let the firewalls do your NATing.

    Roy…



  • I don't see why you are using a 'virtual IP' at all in this configuration - I'd skip that, based on what I'm reading of your current requirements.

    Based on what I'm seeing, trying to put that x.x.63.x public IP in Proxy ARP / Virtual IP is not going to work - as the "pfSense WAN" isn't actually in that range - depending of course on if your comcast cable modem / router / firewall / whatever thing 'does weird stuff.'  Which it may.

    Technically- (barring any 'weird stuff') if you want to experiment with "Multiple WAN IPs" - as your pfSense box's "WAN IP" space is 10.1.10.x, your WAN IPs would need to be in that range, and you'd need to make your comcast router NAT those IPs to that range.

    Another option is to bridge your pfSense box into the WAN space - not sure if that's possible with your current comcast device - or its configuration.



  • Under your NAT port forward - set that for "Interface Address" and not the (probably broken) Virtual IP you created.



  • Okay I'm confused.  You guys are saying that I don't need to use Virtual IPs?

    Ultimately, my goal is to get rid of the old firewall.  That way, all of our external static IPs (XXX.XXX.63.137-XXX.XXX.63.141) all pass through the pfSense box.  Aren't virtual IPs going to be required for the pfSense box to distinguish between the traffic?  We do NOT want traffic to all of those static IPs to be treated the same.  We need the traffic to be routed/nat'ed to different internal servers depending on what IP is being accessed…...

    So why are people telling me not to use Virtual IPs?



  • @rpsmith:

    your comcast router will handout 10.1.10.x address if you connect a DHCP client to it but it can also handle static IPs at the same time.

    However, for your setup you should really set your firewalls WAN to use your static public IPs and let the firewalls do your NATing.

    Roy…

    1. DHCP is disabled on the modem.

    2. How do I set my firewall WAN to use multiple public static IPs without using Virtual IPs?



  • @overand:

    I don't see why you are using a 'virtual IP' at all in this configuration - I'd skip that, based on what I'm reading of your current requirements.

    Again, I'm planning on removing the existing firewall and using only pfSense.  Ultimately 5 static IPs are going to be directed to the pfSense box.  Are Virtual IPs required for that kind of setup in order for pfSense to distinguish between the traffic so it can properly route/NAT traffic to the proper internal servers?

    @overand:

    Based on what I'm seeing, trying to put that x.x.63.x public IP in Proxy ARP / Virtual IP is not going to work - as the "pfSense WAN" isn't actually in that range…

    According to the wiki:

    Proxy ARP
    -Can not be used by the firewall itself but can be forwarded
    -Generates Layer2 traffic for the VIP
    -The VIP can be in a different subnet than the real interface's IP
    -Will not respond to ICMP ping.

    Am I reading this wrong?  Is there a different VIP type I should be using?  Sorry I'm new to the VIP thing.  Is the problem, that the Proxy ARP Can not be used by the firewall itself?



  • Got this solved, thanks to jimp.

    My problem was that I was NATing on my modem like this:

    XXX.XXX.63.140 > 10.1.10.2
    

    instead of

    XXX.XXX.63.140 > my virtual IP
    


  • Sorry - I misspoke - you may need virtual IPs, if you're doing the equivalent of "1:1 NAT" on your modemrouter - and have multiple virtual IPs in that same private address space on your pfSense box WAN.


Locked