Port forwarding nat issue with two gateways



  • Hello,

    Pfsense with two internet connections , one on em2 and one on em1. em0 is LAN interface.
    I'm trying to forward port 22 em1[ip] to Lan server X port 22 and to forward port 22 em2[ip] to Lan server X port 23 (Sshd is listening on both 22 and 23 on Lan server X and  em1[ip] means the public accesible ip of that interface.) .
    Incoming traffic gets redirected correctly and running tcpdump on Lan server X i can see traffic arrive as i would expect it and replies going out to the default gateway (pf sense).
    Because i have two internet connections and the fact that i want to reach server X on the Lan by doing ssh from the internet to either em1[ip] or em2[ip] i have set up to filter rules on the Lan (em0) interface of pfsense. Rule 1 says : if traffic from server X port 22 then allow and redirect gateway to gateway of em1 interface ; if traffic from server X port 23 then redirect gateway to gateway of em2 interface .

    All makes sense , right now the gateway of the pfsense box itself is set up to em2 gateway.
    The problem:
    Internet traffic coming to em2[ip] port 22 gets redirected to the Lan server X port 23 and replies come as expected back to the internet source trying to connect.  OK
    Internet traffic coming to em1[ip] port 22 gets redirected to the Lan server X port 22 and replies exit the pfsense box on em2 with source ip em1[ip] . NOT OK.  If i unbind sshd from port 22 on Lan server X and run "nc -p 22 IP-ON-INTERNET 22" then on the IP-ON-INTERNET server i can see incoming traffic with the correct source ip of em1[ip] . If i enable logging of the firewall rule applied on em0 which does change the default gateway when source port is 22 then  port forwarded packets do not get logged, only the packets send when doing nc (netcat) are logged. 
    This brings to the conclusion that port forwarding bypasses completly rules on the em0 (LAN) interface and so it uses the default system gateway for outbound traffic but it also does the screw up translation and puts back the em1[ip] as a source address.

    The above mentioned rules are at the top of the table and nothing else should match. PF sense version used is 2.0-RC2 (amd64) PFhacom.

    pf filter rules output below, ip addresses have been changed for privacy reasons

    scrub in on em0 all fragment reassemble
    block drop in on em0 inet6 from fe80::230:18ff:fea9:969d to any
    pass in quick on em0 proto tcp from any to (em0) port = http flags S/SA keep state label "anti-lockout rule"
    pass in quick on em0 proto tcp from any to (em0) port = https flags S/SA keep state label "anti-lockout rule"
    pass in quick on em0 proto tcp from any to (em0) port = 7022 flags S/SA keep state label "anti-lockout rule"
    pass in log quick on em0 inet proto tcp from 192.168.0.2 port = ssh to <vpns>flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)"
    pass in log quick on em0 route-to (em1 1.2.3.4) inet proto tcp from 192.168.0.2 port = ssh to any flags S/SA keep state label "USER_RULE: nat rule for X machine"
    pass in quick on em0 inet proto tcp from 192.168.0.2 port = telnet to <vpns>flags S/SA keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)"
    pass in quick on em0 route-to (em2 5.6.7.8) inet proto tcp from 192.168.0.2 port = telnet to any flags S/SA keep state label "USER_RULE: nat rule for X machine"

    scrub in on em1 all fragment reassemble
    block drop in quick on em1 from <bogons>to any label "block bogon networks from WAN"
    pass in quick on em1 inet proto icmp from any to 1.2.3.4 icmp-type echoreq keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View"
    pass in quick on em1 inet proto tcp from any to 192.168.0.2 port = ssh flags S/SA keep state label "USER_RULE: NAT "

    scrub in on em2 all fragment reassemble
    block drop in on em2 inet6 from fe80::230:18ff:fea9:969f to any
    pass in quick on em0 route-to (em2 5.6.7.8) inet proto tcp from 192.168.0.2 port = telnet to any flags S/SA keep state label "USER_RULE: nat rule for X machine"</bogons></vpns></vpns>


Log in to reply