Port Forward or DNS Forward?

stramato

What I have:

• mydomain.com from godaddy
• DSL line with static IP from ISP (actually I have 3 that are load balanced)
• LAMP web server, 192.168.1.20
• Windows 2008 R2 DNS, 192.168.1.10

In my DNS, I have a domain, mywebsite.local with Host(A) pointed to 192.168.1.20.

I want this local website to be available on the internet through mydomain.com.

pfSense is between my DSL modem and local network.

What's the best way to do this?

Cry Havok

That's pretty simple

1. Forward port 80/TCP from pfSense to your Windows server
2. If the DSL modem is actually a router, or it isn't in bridge mode, forward 80/TCP from the modem to the pfSense host
3. Create an A record for (say) example.com that has your static IP

stramato

On 1.2.3, I was able to do this successfully.

Im on 2.0 November 7 right now and NAT Port Forwarding looks different.

There's:

Interface
Source Addr
Source Port
Destination Addr
Destination Port
NAT IP
NAT Port

I tried this one and it doesnt work:
Interface WAN
Source Addr *
Source Port 80
Destination Addr *
Destination Port 80
NAT IP 192.168.1.20
NAT Port 80

Then this creates an automatic Firewall Rule.

When I type in the DSL IP in a local PC, it still takes me to pfSense CP. When I try to access it from a web proxy, my request times out.

Am I doing this wrong?

i_robot73

Got the same issue with my Win7 setup…..I can successfully connect to the IIS setup from the LAN (after setting up the DNS Forwarder 'tweak'); but anything external times out.  RDP, FTP and remote admin all function as expected.

Just the external IIS access fails. ???

Anybody come up w/ some other hints/tricks to try out?

EDIT:  Found the issue(s)
1)  I thought I had turned off ALL the firewalls within Windows 7 (Domain, Private, Public), but missed one
    a)  I did turn it back on, enabled the rules (FTP, PASV mode, IIS) after step 2, and all still works!
2)  Changing ports within IIS for the FTP site and restarting the sites through the IIS Admin does NOT restart the IIS FTP site.  I had to do that through the Admin Tools\Services (Microsoft FTP) before the changes I THOUGHT were being made would stick.

Overall, the process for me (hosting on Windows 7):
1)  Change the pfSense web port
2)  Setup the rules for HTTP and/or FTP (and PASV if required).
    a)  Turn on RULES logging to show in the logs, made things MUCH easier to see what's what
3)  Turn off Windows Firewall SERVICE
4)  Tweak as needed
5)  Turn on firewall, re-tweak

Hope this helps someone else.....Now on to figuring how to clean up my SNORT logging from showing all the BellSouth server 'hits' :)

dreamslacker

@stramato:

On 1.2.3, I was able to do this successfully.

Im on 2.0 November 7 right now and NAT Port Forwarding looks different.

There's:

Interface
Source Addr
Source Port
Destination Addr
Destination Port
NAT IP
NAT Port

I tried this one and it doesnt work:
Interface WAN
Source Addr *
Source Port 80
Destination Addr *
Destination Port 80
NAT IP 192.168.1.20
NAT Port 80

Am I doing this wrong?

Yep.  Change the source port to any and the destination address to 'WAN address'.

stramato

@dreamslacker:

@stramato:

On 1.2.3, I was able to do this successfully.

Im on 2.0 November 7 right now and NAT Port Forwarding looks different.

There's:

Interface
Source Addr
Source Port
Destination Addr
Destination Port
NAT IP
NAT Port

I tried this one and it doesnt work:
Interface WAN
Source Addr *
Source Port 80
Destination Addr *
Destination Port 80
NAT IP 192.168.1.20
NAT Port 80

Am I doing this wrong?

Yep.  Change the source port to any and the destination address to 'WAN address'.

Ok I did that, still nothing, requests are timing out.

BTW I forgot to mention, I'm Load Balancing. I have WAN, OPT1 and OPT2 all in Tier1. I'm trying to use WAN only for making my internal web server available over the internet. Does this have to do with anything related to what problem I'm experiencing?

stramato

My port forwards are working now :) Thanks

danswartz

It's generally a nice thing to post what your solution was :)

stramato

Ok here was my solution, dreamslacker's method worked for me.

It was timing out before because the firewall rules got messed up. It was opened for another interface. anyway, it was just carelessness on my part.

Interface OPT2
Source Addr *
Source Port *
Destintion Addr OPT2 Address
Destination Port 80(HTTP)
NAT IP 192.168.1.10
NAT Port 80(HTTP)

Then choose "create associated firewall rule" so it will automatically create a firewall rule for you. Otherwise you can manually create it.

I also did this for OPT1 and WAN, so I have 3 internet IP's port forwarding 80 to the NAT IP.

My next step is to point my DNS Host(A) to these IP addresses, that should, in theory, leave me with redundant IP addresses for my website.