Port forwarding :: strange issue

shamims

Dear List Members

I have a setup similar to the one below

real IP                                    real IP
    x.y.10.0/24            –----------        x.y.20.0/24
      |------------------| x.y.10.100 |            |
      |                  ------------            |
      | IP x.y.10.10/24                            | IP x.y.20.2/24
      | GW x.y.10.1                                | GW x.y.20.1
  -----------                                -------------
|  box a  |                              |  box b    |
  -----------                                -------------
      | IP 192.168.0.1                            | IP 192.168.0.2
      |                                            |
      |        NET: 192.168.0.0/24                |
  ---------------------------------------------------------
            |                  |                  |
            |                  |                  |
            |                  |                  |
            |IP 192.168.0.10  |IP 192.168.0.11  |IP 192.168.0.12
            |GW 192.168.0.1    |GW 192.168.0.1    |GW 192.168.0.2
      -----------        -------------      -------------
    |  box x  |      |  box y    |    |  box z    |
      -----------        -------------      -------------

As you will notice, both box x and y have box a as default gateway, while box z has box b as default gateway.

All configurations are done in box a

I needed to route IPs to all three boxes, so I setup port forwarding under NAT in box A to forward ports to box x and y and z.

box x and y providing http service, box z providing smtp service. Therefore, the associated rules are created accordingly. Any traffic coming to the external IP of box a is being translated accordingly for respective boxes depending on the services.

When I try to connect to box x from outside, it works
when I try to connect to box y from outside, it works
when I try to connect to box z – it fails

I have setup logging on the box a, and it appears to be translating properly, at least so does the log say with a green icon telling the packet has been passed. I tried capturing packets and it appears that packets have been translated accordingly but no response from the box z.

However, if I am in any other box in the LAN then I can telnet to smtp port of box z. It does the transaction of email as well -- indicating that the box can exchange mail and is responsive to network boxes. However, when I try from outside (x.y.10.100), it does not work.

even more strange, when I looked at the log it siad

@39 pass in log quick on fxp0 reply-to (fxp0 x.y.10.1) inet proto tcp from any to 192.168.0.12 port = smtp flags S/SA keep state label "USER_RULE: NAT NAT inbound access for srvexchange01 smtp"

The only different between boxes x, y and z is the GW of the boxes. I do not have access to this box and therefore cannot make any change to it. I have access to box a and boxes x and y though. I am not sure if that is what is making it not work and would therefore appreciate suggestions/pointers from all is highly appreciated.

Thanks

shamims

Adding a bit more information for those who are looking

I configured an additional IP on the WAN interface as (not all at the same time, of course  :P)
a. Proxy ARP
b. Other
c. IP alias

every time, after configuring the VIP, went to firewall > NAT > Port forward and added a rule from the new WAN IP to internal IP (0.12) in smtp port. restarted the box, check the settings once more, tried to telnet newIP smtp, Still no luck. I know 0.12 is responding to smtp request – I even did that from the shell of the box itself.

I am running 2.0 beta5

Thanks.

shamims

further to my previous test, I have managed to set up a different box with smtp enabled and tried to redirect the port to that box. When I had the box with a different GW, it did not work. Then I changed that box's GW to my pfsense box, and only once it worked. Rest of the times I am getting

Escape character is '^]'.        
SMTP synchronization error
Connection closed by foreign host.

this was done with IP-Alias VIP additional IP on the FW

hmmmmm, makes me wonder . . .

brcisna

Doing externally,,

What happens when you do a simple ' telnet mymailserver.domain.net 25 ' ?
Does an external client machine get connected this far?
what mail server are you using?

Also You do have a port forward for tcp 110 as well,correct?
try telnetting port 110 as well and see what happens here–
Post a couple screen shots of your port forwards and the coinciding LAN  & WAN rules as well.

BC

shamims

Dear All

In order to confirm my suspicion, I have configured four boxes in a test environment to emulate the setup below

real IP                                    real IP
    x.y.10.0/24            –----------        x.y.20.0/24
      |------------------| x.y.10.100 |            |
      |                  ------------            |
      | IP x.y.10.10/24                            | IP x.y.20.2/24
      | GW x.y.10.1                                | GW x.y.20.1
  -----------                                -------------
|  box a  |                              |  box b    |
  -----------                                -------------
      | IP 192.168.0.1                            | IP 192.168.0.2
      |                                            |
      |        NET: 192.168.0.0/24                |
  ---------------------------------------------------------
            |                                   
            |                                   
            |                                   
            |IP 192.168.0.10     
            |GW 192.168.0.?       
      -----------     
    |  box x  |     
      -----------

In order to test, at the beginning the box X has the gateway 102.168.0.1, and portforwarding is setup on box A. Box X is running email (smtp) (and it works – I have tested it with another box on the LAN)

As long as the GW is pointing back to box A, the setup works fine. I can communicate from box x.y.10.100 to box X, and the emails are delivered without any error.

Changed the GW of box X to box B. It stopped working. No matter how much I tried (in many different ways including trying to force-route emails to that box) it DID NOT WORK. at one point I even waited for nearly half an hour hoping that the mail will route -- keeping an eye on the log which kept on complaining that box X is not responding).

Changed back GW of box X to box A. It started working again. did not even have to touch anything on any of the boxes -- just waited five minutes and the email was delivered without even a hiccup.

played the change back/to/back/to several times to confirm that this is the case.

Personally, I am a little surprised since this is the first time I am encountering this (never needed port forwarding with pfsense before). i would have expected that no matter where the GW is, the box will always responding to the connection-initiating server. Otherwise, as per my first diagram, there is no way to maintain multiple GWs (redundant links) offering service from the same box -- I will be needing at least n=GW number of boxes to offer the services.

I don't know if this is a bug or not (I am using V2 Dec2010 build). But if it is not a bug but something standard, can someone please confirm to that effect?

Thanks to all for reading

brcisna

shammins,

with your gateway set to box b can you do a simple telnet from box b on port 25 to box x ( mail server)?
you should try this to see if you are getting at least one way communication.

If you can get a telnet connection try and do a telnet email send to your email server/ box x from box b and see how the email fails in this scenario.
This will eliminate a few things to narrrow things down a bit.

BC