Help on port forwarding, please (deperately need help)

Guest · Mar 6, 2007, 5:29 AM

Hi, I'm new to pfSense. Here's the detail of my Setup:

1. pfSense version 1.0.1-SNAPSHOT-02-27-2007 (a VMware VM instance)
-LAN: 192.168.1.200/24 (static, pfSense's DHCP server disabled on LAN)
-WAN: 15.15.15.1/8 (it's a static IP setup to test port forwarding)
-Firewall-NAT:
-Interface: WAN
-Ext address: Interface Address
-Protocol: TCP
-Ext. Port Range: HTTP (80-80)
-NAT IP: 192.168.1.10
-Local Port: HTTP (80)
-Description: 'web'
-No XMLRPC Sync: unchecked
-Auto create was checked at rule creation (in firewall->rules showed up a new rule similar to NAT rule)
-Firewall-Rules:
-Action: Pass
-Disabled: Unchecked
-Interface: WAN
-Protocol: TCP
-Source: Any
-Destination: Single host or alias, Address: 192.168.1.10
-Destination Port Range: HTTP (80)
-Log: checked
-No XMLRPC Sync: unchecked
-Gateway Default
-Description: 'NAT web'
2. Apache Web server at 192.168.1.10 listening at port 80 and 199
3. Client, Knoppix Linux Live DVD v5.0.1 at WAN interface, IP address: 15.15.15.15/8 (a VMware VM instance)
4. The setup is running on VMware Server v1.0, pfSense is at VM0, Knoppix is at VM1, the Apache Web server is at the host computer
5. All network card setup in VMware server are set to 'Bridged', 'Connected' is checked, 'Connect at power on' is checked also.

The Issue:
With NAT rule and Firewall rule in place, I can't open the apache from WAN, I do get this message in
Diagnostics: System logs: Firewall = "pf: 014529 rule 30/0(match): pass in on le1: 15.15.15.15.42585 > 192.168.1.10.80: S 2370850529:2370850529(0) win 5840 <mss 1460,sackok,timestamp[|tcp]="">". I thought at first, the web server is not running, I tried to open it locally (at the host) it's running. Then I tried to change Knoppix IP address to 192.168.1.202/24, Knoppix can open it just fine. After that I reset the Knoppix's IP address to 15.15.15.15/8. Then from pfSense, I tried to ping host, and knoppix, both are responding normally, I even tried downloading pfSense update from host(192.168.1.10) by running "fetch -o /tmp/firmware.tgz http://192.168.1.10/pfSense-update.tgz" (I renamed the update file-name because it's too long). It was working like a charm, but not from Knopppix at WAN side. Any thoughts appreciated

The Setup (logical version):

(Apache Web Server listening at port 80 and port 199) Host (192.168.1.10/24) <–-> (LAN Interface: 192.168.1.200/24) pfSense (WAN Interface: 15.15.15.1/8) <---> (15.15.15.15/8) Knoppix Linux (Mozilla Firefox v1.5.0.3)

Thanks in advance,

zzz2496</mss>

sai · Mar 6, 2007, 7:46 AM

change the port for your pfS Web GUI to something other than 80.

hoba · Mar 6, 2007, 12:03 PM

@sai:

change the port for your pfS Web GUI to something other than 80.

This shouldn't interfere with a port redirect. You will lose to access the webgui by the WAN IP though but by LAN IP will be fine. As it is passing the traffic this is not a pfsense issue (see firewalllog). Probably a vmware missconfiguration or a routing problem of some kind.

Guest · Mar 6, 2007, 12:15 PM

@sai

I've changed the listen port (now @ 54321) and changed the protocol too (now @ HTTPS), and as hoba said… it doesn't work... but thanks for the reply :D

@hoba

If I make my knoppix's ip address to the same subnet as my host OS (192.168.1.202), it can open the apache just fine, that's why I'm wondering if I did something wrong (and vmware is operating normally afaics).
Here's another log entry from firewall:

"pf: 35. 801321 rule 46/0(match): pass in on le1: 15.15.15.15.39752 > 192.168.1.10.80: S 4214566814:4214566814(0) win 5840 <mss 1460,sackok,timestamp[|tcp]="">"

but the browser keep on timing out… I'm new to pfSense, but I know my way around computer network
(done ICND few years ago :))

Thanks for the reply,

zzz2496</mss>

hoba · Mar 6, 2007, 12:21 PM

Is the apache server able to ping the knoppix host? If not maybe it's using a wrong gateway.

Guest · Mar 6, 2007, 12:29 PM

@hoba:

Is the apache server able to ping the knoppix host? If not maybe it's using a wrong gateway.

@hoba, yes I can ping my knoppix host, I'm currently on ##pfsense (in away mode).

hoba · Mar 6, 2007, 1:18 PM

hm, still thinking it's a vmware config issue. Do the states look ok at diagnostics>states for this connection? if yes it definately is not a pfSense issue.

Guest · Mar 6, 2007, 1:52 PM

@hoba:

hm, still thinking it's a vmware config issue. Do the states look ok at diagnostics>states for this connection? if yes it definately is not a pfSense issue.

@hoba

Sorry, internet blackout just now…
I found the problem at last (your hint was the KEY :)) thank you sooo muchhh.
The problem was windows's gateway binding = idiot, I told it to get to 192.168.1.200 as gateway with higher metric number... windows is windows... if I take out one of the gateway IP, it works like a charm... that took me 4 days... Thank you again, hoba bows :D

hoba · Mar 6, 2007, 2:12 PM

Glad you got it working finally :)