[SOLVED] Really can not deal with rules and NAT



  • Have read forum posts concerning pfSense containing logs on blocked packets, if there are doubles and lost FIN packets. But this time in my case it seams different - can not connect explicitly allowing connection, even using Quick rules from logs to allow connections.

    pfSense FW with NAT
    10.10.10.10 - WAN router external routed IP address
    192.168.10.1 - LAN router address internal

    10.10.10.11 - VIP for specific reasons located on WAN interface to connect to 192.168.10/24 LAN, as router have several OPT interfaces restricting internal VLANs.
    NAT setup is the following:
    Interface: WAN
    External address: 10.10.10.11 (VIP as stated above)
    Protocol: TCP
    External port range: 8888
    NAT IP address: 192.168.10.10 (from LAN interface - specific server)
    Local port: 8888

    By this setup I assume, that connections to VIP 10.10.10.11:8888 should be NATted to 192.168.10.10:8888. Hope, this is correct.

    I have a WAN Firewall rule, saying the following:
    Action: Pass
    Interface: WAN
    Protocol: TCP
    Source: Any (actually I have to specify exact host, but for now testing with any)
    Destination: 192.168.10.10/31 (single host or alias)
    Destination port range: 8888 to 8888
    State type: Keep state
    No logging.

    THE PROBLEM
    With this setup, I get connections for these hosts blocked by Default firewall rule, in logs showing, that TCP:S packet is blocked, which mean Syn. Can not connect from external host anyway.

    First strange things I noticed, that Firewall offers to enter LAN addresses in rules, which previously I thought different, that I have to allow connection to 10.10.10.11, instead of 192.168.10.10. But this works ok on other rules. Why is it so?

    Using FreeBSD 7.2-RELEASE-p5 i386

    Can anybody comment on these issues or direct me to wrong settings, if any? Additionally I have LAN interface rule (manually entered) - allow any to any, which probably should work for outgoing connections, as well as if these tests have to run on LAN interface, instead of WAN.



  • Would like to add info for now:

    1. I run a packet capture, and find out, that, despite fw rule is for 192.168.10.10 IP on WAN interface, FW gets connection to VIP 10.10.10.11. I added additional FW rule to allow any connections to VIP on specific port. Run packet capture again - the same results. External system tries to send SYN packet to establish connection, but these first packets are blocked by default FW rule, despite expilcit allow rule

    2. I had an issue with asymetric routing, where packets were coming in via 10.10.10.11, but out - via FW WAN address. To be more precise, I registered Outgoing NAT rule, to move packets from this LAN interface out to any via VIP address: 10.10.10.11.

    The results still does not give me a clue and connection can not be established still.



  • Was struggling with my issue for a couple of days, but really today, it turned out to be a problem of router restart. I could not imagine, that there could be a situation with FreeBSD to act like Microsoft products :) If something does not work, try to restart computer :).

    Anyway, restarted router, which was online for 1.5 years, and everything stepped in their places - rules started to work. To be honest, could not find any info relating to such issues, nor can comment it deeper. For now, issue is considered as solved.


Log in to reply