No x-forwarded-for with port forward NAT



  • Hi all.
    I have a strange problem , 2.0.1-RELEASE (amd64) . Im using NAT port forward to NAT my web server income traffic
    on to Apache load balancer who is using mod_proxy .
    I have same settings with different other firewalls ( iptable/Forinet/Chechpoint ) and dont have that problem .
    when I look at the headers I see the PFS internal interface IP .
    I googled but found nothing on this , as well as in this forums .
    is there an attribute I need to check in order for that to work , or am I missing something ?

    Thanks
    Yan



  • NAT won't mess with anything inside your packets, so this is working as expected.



  • Are you trying to verify this from within your network or outside of your network?



  • I have tested both from inside the LAN and from outside , on both cases
    the results where the same , the x-forwarded-for shows one IP and its the LAN interface IP .
    I have also try to hit from behind a proxy that I have set using squid , when i set this squid to other firewalls i have
    the results are as expected , but on 2 cases where I have pfsense the results are LAN interface IP only .

    This are the firewall rules i got from the conf file

    
                    <rule><source>
                                    <any><interface>wan</interface>
                            <protocol>tcp/udp</protocol>
                            <destination><address>192.168.0.4</address>
    
                                    <port>443</port></destination> 
    
                            <associated-rule-id>nat_4f6b3e66ac6410.97810288</associated-rule-id></any></rule> 
                    <rule><source>
                                    <any><interface>wan</interface>
                            <protocol>tcp/udp</protocol>
                            <destination><address>192.168.0.4</address>
    
                                    <port>80</port></destination> 
    
                            <associated-rule-id>nat_4f6b3ed0bcbd93.23368410</associated-rule-id></any></rule> 
    

    and this is the NAT settings

     <nat><advancedoutbound><rule><source>
                                            <network>192.168.0.0/24</network>
    
                                    <dstport>500</dstport>
    
                                    <target><interface>wan</interface>
                                    <destination><any></any></destination> 
                                    <staticnatport></staticnatport></target></rule> 
                            <rule><source>
                                            <network>192.168.0.0/24</network>
    
                                    <sourceport><target><interface>wan</interface>
                                    <destination><any></any></destination> 
                                    <natport></natport></target></sourceport></rule></advancedoutbound></nat> 
    


  • Try just TCP only. Web Traffic does not flow on UDP.



  • Port forwarding by NAT gateways doesn't touch packet content.

    The X-forwarded… you're referring to is only used by L7 http reverse-proxies (load-balancers etc)


Locked