NAT reflection problem?
-
So my 2.0 firewall was having HW issues - replaced it with a dell box. I did an install with a 2.0 snapshot from yesterday. Restored my existing config. Everything worked fine, except… NAT reflection is not working. I have split DNS for most cases, but unfortunately, my wife's company's vpn hijacks all traffic, including local traffic, and sends it out the VPN, so she needs reflection to be able to read her mail on our server. I have eliminated anything extraneous by trying this "telnet MYWANIP 80" from a server on the LAN. Nothing (e.g. it hangs.) I have run 'tcpdump -i LANNIC | grep WANIP' on the pfsense and I see the SYN segments coming in the LAN interface, but nothing going back. I also ran a packet trace to see if I could see the nc process inetd spawns connecting back. Nada. I know the inetd stuff works, since doing this "telnet localhost 19002" on the pfsense fires up a connection back to the web server on the LAN. I have checked, double-checked and triple-checked the NAT rules and all looks okay. It's almost like the rdr to localhost is not working. Any ideas what I can check/try?
-
Check /tmp/rules.debug to see if it is installing the rdr to localhost on a 19xxx port.
-
rdr on { em0 openvpn } proto tcp from any to WANIP port 80 tag PFREFLECT -> 127.0.0.1 port 19002
This looks correct to me?
-
Does it literally say WANIP like that, or does it actually have an address and you just typed that in? Also, does it match up with the right port in inetd.conf? (located in /var/etc/, IIRC)
-
That was a sanitized address :) Yes, everything matches up.
19002 stream tcp nowait/0 nobody /usr/bin/nc nc -w 2000 10.0.0.1 80
-
This turns out to be less urgent than I thought. My wife incorrectly told me it was sending everything out their VPN - in fact the whole issue is they are putting their DNS server in, so it bypasses the split-DNS setup. I hard-coded her webmail URL with the IP address and she is okay. I'd like to know why this happens though…