Firewall Rule / Routing Help Please



  • Hi All,

    Was wondering if I could get some help, I would really appreciate it. Originally I was trying to do some port forwarding but was having some problems so I tried to simplify things before going to the next level.
    See Diagram below
    I have added a gateway and route to PFSense to be aware of the 172.20.20.x network and pings work great. But coming from the 172.20.20.network back I am having some issues. 
    First - I have placed a work station in the opt3 network (workstation address is 192.168.6.210) When I am part of the 192.168.6.x network I can access everything as I should be able to. Awesome things work great. I can access and manage PF sense I have access to both webservers. Life is good.
    Next I have another work station in the 172.20.20.x network, same rules apply as above test, when I launch web management for PFSense  https://192.168.6.254 the  certificate exception pops up then IE grinds and nothing happens. Didn’t expect that from my results from step one. Then I launch the Apache website, same things … thinking I did something wrong I tried the IIS website and it works!! Tired FTP off of the IIS server Success! Even the SFTP from the Linux and it works machine works. At first I looked at the apache web server config, all looks good there (allow all) Plus my test from the direct interface 192.168.6.x network worked great. Is there something that I am missing in my configuration on the firewall that may be an issue. I guess I am trying to pin point where I need to focus my effort, I posted on the PFSense forum because I would have thought that I would at the very least be able to see the management web page.  For some reason the Linux webpage rendering from the 172.20.20.x network seems to be a problem.  In desperation I have set the rules to allow all ports until I get this figured out.
    The end goal would be to have Virtual IP’s and port forwarding on the 192.168.6.X network

    Appreciate any help any one can provide !!

    192.168.6.51 to point to the IIS server
    192.168.6.52 to point the tomcat server.
    I have the following set up

    Wan (192.168.30.108) - - >
    Lan (172.30.36.254 /24)
    OPT1 (192.168.70.254 /24)
    OPT2 (172.31.17.254/24) – with 2 web servers
                                                                              …..IIS Web Server (172.31.17.84)
                            …. Apache tomcat Webserver(172.31.17.82:8080)
    OPT3 (192.168.6.254/24) - - > Cisco Router (192.168.6.253/24) - - > Cisco Router (172.20.20.254/24)



  • Probably ned to use a combination of tracreroute and tcpdump to find out if and where traffic is making it to and what it looks like when it gets there.



  • Thanks for the direction, I did some more checking using the ping and trace route from PF to the 172.20.20.254 gateway. I am seeing "ICMP time exceeded in-transit" Errors. This make would make sense on why the windows machines would be working while I am having problems with the Linux machines. Is there any why to troubleshoot this further on the pfsense side?

    Thanks!!



  • did you do a traceroute and ping from the Linux server as well as the windows to compare the difference? Perhaps the default route (gateway) in the linux system is not correct.



  • Hi… Got some of it figured out... it was a MTU issue, I increased the MTU on the pfSense interface and all is working.

    Now on to port forwarding... running into some more troubles.

    I set up the port forward rule with no luck pfSense interface 192.168.6.254 I set up a virtual interface 192.168.6.51 that I would like to port forward to 172.31.17.82.

    pfSense looks like
    IF = OPT2 proto=tcp Src add = * src port = * Dest add = 192.168.6.51 Dest port = 443 nat ip = 172.31.17.82 nat port =443.

    I get nothing... strange thing is when I change the dest port to 8080 for the fun of it the web server replies that I should be using a https request. I am lost, I didn't expect that result, does anyone have any suggestions. thought that I should mention this is comming from an opt interface to forward the traffic to the lan not the WAN.

    Thanks



  • Is this a configuration on the outbound NAT or the inbound port forwarding?



  • Hi this is on the Port Forward tab, I have not touched anything in the outbound configuration. Is there something that I need to do in there as well?

    Thanks



  • If I understand what you are looking to do, yes, you need to setup advanced rules to NAT the traffic between OPT2 and LAN.



  • THe OPT2 will be the interface that Is connected to a larger coproate network… looks something like this

    Wan
    Lan - Managment Network (Syslog,Vcenter,ad)
    OPT1 - Web Servers Servers
    OPT2 - cisco network connected to a firewall that is connected to a large network controlled be someone else
    We are trying to get NAT and port forwarding in place for the OPT2 to point to the OPT1 network because there are ip conflicts between the OPT1 and the other controlled network connected to OPT2

    I would have thought that the port forwarding would have handled everything and I would not need to do nat, but I guess it makes sense for the responding packets

    would my source be the OPT1 network
    Destination would be OPT2
    and the nat address the virtual IP?

    Would I configure this in the outbound NAT??

    I have looked a little bit but I am trying to figure out the Source Destination and translation

    I have found that the MTU seems to be an issue for me, any insight on the best way to control this problem.

    Thanks



  • Port forwarding will handle connections originating inbound, but not originating from within. You must use AON to handle those type of connections.
    You said IP conflicts, which means to me that you have them on the same subnet. There will be no routing in that case and you will need to create a different subnet if you want to have a firewall or router in between them. Not sure why MTU would make any difference in both are in a 10/100 network.



  • update: The port forwarding that I am using is originating from the opt3 interface but I understand what you mean. The ip conflicts come from the other network that is behind the a differnet firewall. We are both using nat and port forward to create a work around hope that makes more sense. I have a different system administrator on the other side.

    After looking at and configuring a lower MTU on the linux host, all is working great. I have read some other posts that pfsense has some troubles handeling packets fragments.. but it looked like for the older versions… there were a couple of solutions... but I could not find a solution that works for me. I am not sure if it is pfSense problem completley because I only have problems with the linux servers. Might be a combination... but a weird one... any one else experiance this and have any insight.

    podilarius ... you had mentioned that I should be using AON.... would this resolve this issue... as I am not using this senario currnetly and thinks are working?

    thanks for your help



  • I like the granular control of AON. If it is working, let it work.


Locked