NAT with Pfsense 2.0Beta4

f0dei

Hi to all,

I used one of the latest v2.0Beta4 of Pfsense
On my network I have 1 Wan 192.168…... and 1 Lan with the same range  (this side work correctly)

Yesterday I add a new port as OPT1 with range 10.0.0.0/8 and enable DHCP server. I make a 2 rules

One for bloking access from OPT1 to LAN and one to permit OPT1 to go to internet. (my server can go out now with their IP 10.0.0.x)

For now I try to make a NAT for redirect port 30001 and 40000 to OPT1 but it's not work  ???

Can anyone help me and sorry for my english (I read also the Pfsense book but without success)

wallabybob

You have a broadband modem between pfSense and the internet and need to configure port forwards on the modem?

Have you done a packet capture on the pfSense WAN port to confirm it really is seeing the connects to ports 30001 and 40000?

f0dei

Hi,

On my modem, my Pfsense box is on DMZ 192.168.1.13
I also forward port 30001 and 40000

In Pfsense I see sometime an incoming connection on WAN from 142.x.x.x.x on port 30001 (should be nice)
but what I must do to forward any incomming connection on port 30001 and 40000 to my server on opt1 (ip:10.0.0.x)

wallabybob

The port forwards on your modem need to specify the IP address you want the packets to go to. This could be the pfSense WAN IP address if you configure pfSense to then port forward to your OPT1 subnet. Alternatively, the modem/router could port forward to the OPT1 IP address but you also need a static route on the modem/router to say that the gateway for the OPT1 subnet (10.0.0.0/24?) is the pfSense WAN interface IP address (??). IN this second case, if the modem/router doesn't have the static route it won't know where to forward the packets so they can get to the OPT1 system.

What is the destination address in the port 30001 packets you saw? Where did that address come from?

f0dei

To resume :

Livebox v2
    |
    |    192.168.1.13              pfSense
    –-------DMZ---------------box  ---------------WAN (192.168.1.13)
                                                               |---   LAN  (192.168.2.1)/24
                                                               |---- OPT1 (10.0.0.254)/8

PORT 30001 and 40000 are forward in my livebox to WAN IP (192.168.1.13)  (but I think it's not necessary because pfsense is on DMZ)

I want to forward incoming connection from internet on port 30001 and 40000 on WAN IP (pfsense) to my OPT1 adress: 10.0.0.254

to then port forward to your OPT1 subnet
I try do do this but it's seems not work (probably I make a mistake)

Firewall: NAT: Port Forward
WAN UDP * 30001 WAN address 30001 10.0.0.254 30001

WAN UDP * 40000 WAN address 40000 10.0.0.254 40000

Firewall: Rules (WAN)
UDP * 30001 10.0.0.254 30001 * none   NAT

UDP * 40000 10.0.0.254 40000 * none   NAT

wallabybob

Are firewall rules applied BEFORE port forwarding or AFTER?

Your configuration appears to assume firewall rules apply AFTER port forwarding. I suggest you check the firewall logs. Maybe firewall rules apply before port forwarding.

f0dei

It's a linked rules on NAT side, pfSense create WAN rules alone.

cmb

@wallabybob:

Are firewall rules applied BEFORE port forwarding or AFTER?

after.

f0dei

Any others ideas ?
I make a tcpdump and the udp packet from Internet seems
to go correctly to my opt1 interface but a always can't connect.

Lloyd

I have the same issue. I have NATing an RDP port through (port 3389).

When I log a 'pass' firewall rule it shows a success however the connection is not made. It is almost like the routing of the reply packets is not working properly.

My outbound firewall rules are allowing everything currently so I think that the firewall is not the issue.

• Lloyd

f0dei

@Lloyd:

My outbound firewall rules are allowing everything currently so I think that the firewall is not the issue.

• Lloyd

It's very strange, If I put my server on my modem and put the sames rules in their firewall as above, the connection is possible.
The problem comes for sure from pfSense box, but where that is the question.

With pfSense box, I make a tcpdump on my wan and server networks cards.

When I initiat a connection, I see the outgoing packet on UDP 30001  :)
The reply  from internet comes also on UDP 30001 and goes to my server IP but connection is not possible  ???  ???

I don't want to switch to monowall or similar firewalls. I trying to resolve this problem since 3 weeks and finally decided
to ask for helps on this forum.

I am sure, a lot "supers" users of pfSense could be resolve our problem.
Regards
Touf

biatche

i can confirm something is not right about multi wan NAT

opt1.modem.ip=192.168.202.1 [modem dmz set to 192.168.202.254]
opt1.interface.ip=192.168.202.254

i setup this NAT rule: OPT1  TCP/UDP  *  *  OPT1 address  26001  192.168.0.11  26001

utorrent is on 26001.

went to http://www.yougetsignal.com/tools/open-ports/ to do a port test. says port is closed.

hooked up a test pc and attached modem directly to pc. loaded up utorrent. did port test. says port is open.

tacfit

I'm seeing the same thing on releases since late October. NAT is working fine on my default gateway, but not on any of the OPT interfaces. So Multi-WAN NAT seems a bit busted at present.

sullrich

This was fixed yesterday.  Try todays snapshot.

Phobia

Hey there,

I'm running :

2.0-BETA4 (i386)
built on Wed Nov 3 02:54:06 EDT 2010
FreeBSD 8.1-RELEASE-p1

… and can confirm that my NAT issues related to this issue appear to have been resolved.

Also, the rule I have on each WAN interface allowing SSH access on a non-standard port (not NAT - just a straight forward PASS rule) is also now working.

-- Phob

biatche

2.0-BETA4 (i386)
built on Wed Nov 3 02:54:06 EDT 2010
FreeBSD 8.1-RELEASE-p1

updated to the above. same problem. fine on WAN1, not OPT1 - same nat/rules rules.
how can i diagnose this?

[2.0-BETA4][root@rixgate.rix]/root(8): tcpdump -i em0 tcp port 26066
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes
09:33:23.778426 IP www.no-ip.com.40436 > 192.168.0.11.26066: Flags [s], seq 1401554251, win 5840, options [mss 1460,sackOK,TS val 409248447 ecr 0,nop,wscale 7], length 0
09:33:23.778528 IP 192.168.0.11.26066 > www.no-ip.com.40436: Flags [S.], seq 573006331, ack 1401554252, win 8192, options [mss 1460,sackOK,TS val 52097064 ecr 409248447], length 0
09:33:24.453092 IP 192.168.0.11.26066 > www.no-ip.com.40318: Flags [R], seq 208309969, win 0, length 0
09:33:26.776633 IP www.no-ip.com.40436 > 192.168.0.11.26066: Flags [s], seq 1401554251, win 5840, options [mss 1460,sackOK,TS val 409251447 ecr 0,nop,wscale 7], length 0
09:33:26.779519 IP 192.168.0.11.26066 > www.no-ip.com.40436: Flags [S.], seq 573006331, ack 1401554252, win 8192, options [mss 1460,sackOK,TS val 52097364 ecr 409248447], length 0
09:33:32.780504 IP 192.168.0.11.26066 > www.no-ip.com.40436: Flags [S.], seq 573006331, ack 1401554252, win 8192, options [mss 1460,sackOK,TS val 52097964 ecr 409248447], length 0
^C
6 packets captured
1634 packets received by filter
0 packets dropped by kernel
[2.0-BETA4][root@rixgate.rix]/root(9): tcpdump -i nfe1 tcp port 26066    
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on nfe1, link-type EN10MB (Ethernet), capture size 96 bytes
09:33:49.843386 IP www.no-ip.com.40576 > 192.168.202.254.26066: Flags [s], seq 1422382543, win 5840, options [mss 1460,sackOK,TS val 409274479 ecr 0,nop,wscale 7], length 0
09:33:52.895297 IP www.no-ip.com.40576 > 192.168.202.254.26066: Flags [s], seq 1422382543, win 5840, options [mss 1460,sackOK,TS val 409277479 ecr 0,nop,wscale 7], length 0
^C
2 packets captured
1554 packets received by filter
0 packets dropped by kernel
[2.0-BETA4][root@rixgate.rix]/root(10): 

em0 = lan
nfe1 = opt1

so...the server received and responded but response never arrived on opt1\. why? what have i missed?

[code]
Port forward rule:
OPT1   	 TCP  	 *  	 *  	 OPT1 address  	 26066  	 192.168.0.11  	 26066

Outbound rule:
OPT1    	 192.168.0.0/24  	 *  	 *  	 *  	 *  	 *  	YES	LAN to OPT1  

FW rule:
TCP  	 *  	 *  	 192.168.0.11  	 26066  	 *  	 none
[/code][/s][/s][/s][/s]

tacfit

Working for me too. Thanks a lot Scott!

kazibole

I'm having an issue with NAT, not sure if it is the same one as the people here. I am running the latest snapshot:

2.0-BETA4 (i386)
built on Thu Nov 4 01:22:43 EDT 2010
FreeBSD 8.1-RELEASE-p1

I've got one WAN interface and 3 LAN interfaces. I set up two NAT rules with Pass as the option. One for SIP (UDP 5060) and one for RTP (UDP 10000 - 20000). One issue is that when I do a packet capture on my WAN interface, I can see RTP packets in the range 10000-20000 come in, but when I do another capture on the LAN interface, I don't see them forwarded to my host. I am also having intermittent issues with the SIP port not always registering. Haven't dug too deep on this one, but I suspect that not all packets are getting forwarded to my host.

biatche

I don't fully get.. does sound similar to mine…

(public initiates) [modem] -> [opt1] -> [lan] all ok!
[lan] (packet received and responses fine) -> [opt1] (!! never received outgoing packet from lan.) -> [modem]

f0dei

Hi,

On my side with 2.0-BETA4 (i386) built on Wed Nov 3 02:54:06 EDT 2010 Can connect now but not every time.
Since this update it work better than previous version but not every time  ???

Always OK if I use only modem without pfSense.

This night I have instaled monowall to check if it working or not and make few test, now I can connect to my server.
Something is broken in pfSense. I test the NAT and port forward and it's not working on my side (with v 1.23 and latest v2)

All work great with monowall if I put the same rules

I hope this problem will be resolved in future releases (I like pfSense)

Cheers