Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall Rule / Routing Help Please

    Firewalling
    2
    12
    3.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      magilli
      last edited by

      Hi All,

      Was wondering if I could get some help, I would really appreciate it. Originally I was trying to do some port forwarding but was having some problems so I tried to simplify things before going to the next level.
      See Diagram below
      I have added a gateway and route to PFSense to be aware of the 172.20.20.x network and pings work great. But coming from the 172.20.20.network back I am having some issues. 
      First - I have placed a work station in the opt3 network (workstation address is 192.168.6.210) When I am part of the 192.168.6.x network I can access everything as I should be able to. Awesome things work great. I can access and manage PF sense I have access to both webservers. Life is good.
      Next I have another work station in the 172.20.20.x network, same rules apply as above test, when I launch web management for PFSense  https://192.168.6.254 the  certificate exception pops up then IE grinds and nothing happens. Didn’t expect that from my results from step one. Then I launch the Apache website, same things … thinking I did something wrong I tried the IIS website and it works!! Tired FTP off of the IIS server Success! Even the SFTP from the Linux and it works machine works. At first I looked at the apache web server config, all looks good there (allow all) Plus my test from the direct interface 192.168.6.x network worked great. Is there something that I am missing in my configuration on the firewall that may be an issue. I guess I am trying to pin point where I need to focus my effort, I posted on the PFSense forum because I would have thought that I would at the very least be able to see the management web page.  For some reason the Linux webpage rendering from the 172.20.20.x network seems to be a problem.  In desperation I have set the rules to allow all ports until I get this figured out.
      The end goal would be to have Virtual IP’s and port forwarding on the 192.168.6.X network

      Appreciate any help any one can provide !!

      192.168.6.51 to point to the IIS server
      192.168.6.52 to point the tomcat server.
      I have the following set up

      Wan (192.168.30.108) - - >
      Lan (172.30.36.254 /24)
      OPT1 (192.168.70.254 /24)
      OPT2 (172.31.17.254/24) – with 2 web servers
                                                                                …..IIS Web Server (172.31.17.84)
                              …. Apache tomcat Webserver(172.31.17.82:8080)
      OPT3 (192.168.6.254/24) - - > Cisco Router (192.168.6.253/24) - - > Cisco Router (172.20.20.254/24)

      1 Reply Last reply Reply Quote 0
      • P
        podilarius
        last edited by

        Probably ned to use a combination of tracreroute and tcpdump to find out if and where traffic is making it to and what it looks like when it gets there.

        1 Reply Last reply Reply Quote 0
        • M
          magilli
          last edited by

          Thanks for the direction, I did some more checking using the ping and trace route from PF to the 172.20.20.254 gateway. I am seeing "ICMP time exceeded in-transit" Errors. This make would make sense on why the windows machines would be working while I am having problems with the Linux machines. Is there any why to troubleshoot this further on the pfsense side?

          Thanks!!

          1 Reply Last reply Reply Quote 0
          • P
            podilarius
            last edited by

            did you do a traceroute and ping from the Linux server as well as the windows to compare the difference? Perhaps the default route (gateway) in the linux system is not correct.

            1 Reply Last reply Reply Quote 0
            • M
              magilli
              last edited by

              Hi… Got some of it figured out... it was a MTU issue, I increased the MTU on the pfSense interface and all is working.

              Now on to port forwarding... running into some more troubles.

              I set up the port forward rule with no luck pfSense interface 192.168.6.254 I set up a virtual interface 192.168.6.51 that I would like to port forward to 172.31.17.82.

              pfSense looks like
              IF = OPT2 proto=tcp Src add = * src port = * Dest add = 192.168.6.51 Dest port = 443 nat ip = 172.31.17.82 nat port =443.

              I get nothing... strange thing is when I change the dest port to 8080 for the fun of it the web server replies that I should be using a https request. I am lost, I didn't expect that result, does anyone have any suggestions. thought that I should mention this is comming from an opt interface to forward the traffic to the lan not the WAN.

              Thanks

              1 Reply Last reply Reply Quote 0
              • P
                podilarius
                last edited by

                Is this a configuration on the outbound NAT or the inbound port forwarding?

                1 Reply Last reply Reply Quote 0
                • M
                  magilli
                  last edited by

                  Hi this is on the Port Forward tab, I have not touched anything in the outbound configuration. Is there something that I need to do in there as well?

                  Thanks

                  1 Reply Last reply Reply Quote 0
                  • P
                    podilarius
                    last edited by

                    If I understand what you are looking to do, yes, you need to setup advanced rules to NAT the traffic between OPT2 and LAN.

                    1 Reply Last reply Reply Quote 0
                    • M
                      magilli
                      last edited by

                      THe OPT2 will be the interface that Is connected to a larger coproate network… looks something like this

                      Wan
                      Lan - Managment Network (Syslog,Vcenter,ad)
                      OPT1 - Web Servers Servers
                      OPT2 - cisco network connected to a firewall that is connected to a large network controlled be someone else
                      We are trying to get NAT and port forwarding in place for the OPT2 to point to the OPT1 network because there are ip conflicts between the OPT1 and the other controlled network connected to OPT2

                      I would have thought that the port forwarding would have handled everything and I would not need to do nat, but I guess it makes sense for the responding packets

                      would my source be the OPT1 network
                      Destination would be OPT2
                      and the nat address the virtual IP?

                      Would I configure this in the outbound NAT??

                      I have looked a little bit but I am trying to figure out the Source Destination and translation

                      I have found that the MTU seems to be an issue for me, any insight on the best way to control this problem.

                      Thanks

                      1 Reply Last reply Reply Quote 0
                      • P
                        podilarius
                        last edited by

                        Port forwarding will handle connections originating inbound, but not originating from within. You must use AON to handle those type of connections.
                        You said IP conflicts, which means to me that you have them on the same subnet. There will be no routing in that case and you will need to create a different subnet if you want to have a firewall or router in between them. Not sure why MTU would make any difference in both are in a 10/100 network.

                        1 Reply Last reply Reply Quote 0
                        • M
                          magilli
                          last edited by

                          update: The port forwarding that I am using is originating from the opt3 interface but I understand what you mean. The ip conflicts come from the other network that is behind the a differnet firewall. We are both using nat and port forward to create a work around hope that makes more sense. I have a different system administrator on the other side.

                          After looking at and configuring a lower MTU on the linux host, all is working great. I have read some other posts that pfsense has some troubles handeling packets fragments.. but it looked like for the older versions… there were a couple of solutions... but I could not find a solution that works for me. I am not sure if it is pfSense problem completley because I only have problems with the linux servers. Might be a combination... but a weird one... any one else experiance this and have any insight.

                          podilarius ... you had mentioned that I should be using AON.... would this resolve this issue... as I am not using this senario currnetly and thinks are working?

                          thanks for your help

                          1 Reply Last reply Reply Quote 0
                          • P
                            podilarius
                            last edited by

                            I like the granular control of AON. If it is working, let it work.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.