Possible to PortForward WAN -> LAN -> LAN ?



  • Is it possible to port forward to a subnet other than the LAN hanging off pfsense, like so:

    WAN –> pfsense --> LAN (192.168.1.0/24) --> RouterA --> LAN (192.168.2.0/24) –> Server (192.168.2.128/24).

    My SMTP example. If I put the mail server at 192.168.1.128 in the first subnet hanging off pfsense, portforwarding works. If I move the server into the second subnet (@192.168.2.128), change the portforward rule to 192.168.2.128 (Firewall rule changes too) it does not.

    Supporting info:

    1. Yes pfsense has static route for 192.168.2.0/24 via RouterA
    2. RouterA default route is LAN side of pfsense.
    3. Mail server @ 192.168.2.128 can send mail out OK (and browse web OK).

    Lastly as a user of ipcop, smoothwall, Astaro, Pix and Borderware…. psfsense is really good.



  • According to your diagram, pfSense has to NAT to 192.168.1.0/24
    Routing and NATting between the two local subnets .1.0/24 and .2.0/24 has to be done by your RouterA.

    In your configuration pfSense doesn't have an interface for 192.168.2.0/24 where it could NAT to.
    Maybe adding another interface to your pfSense with the subnet 192.168.2.0/24 could get rid of RouterA and solve this nicely…

    Somebody correct me if I'm wrong, please!



  • @jahonix:

    Maybe adding another interface to your pfSense with the subnet 192.168.2.0/24 could get rid of RouterA and solve this nicely…

    Yep I could do that however to simplify things my diagram above is only a sub set of the whole LAN (RouterA services a whole bunch of subnets/branches/Business Units). We don't want the Internet Firewall to take on the internal LAN routing load/role.

    Just to clarify Internet access out from 192.168.2.0/24 is working. Servers & PCs in 192.168.2.0/24 can browse the web and I can make subnet specific rules in pfsense and they are honered. Infact I have PCs/Servers @:

    192.168.3.0/24 -> RouterB -> 192.168.2.0/24 -> RouterA -> 192.168.1.0/24 -> pfsense -> WAN/Internet

    ..browsing out OK with 192.168.3.0/24 specific rules in pfsense.

    Mail is also getting out from 192.168.2.128 OK - it is just the "pin hole"/"port forwarding" of mail (or anything else like http etc) that I would like to "get in" not only to 192.168.1.0/24 but other internal subnets.

    I am pritty sure (not 100% sure) I have done this with MS ISA and Astaro before. However if I am asking something NATing/PortForwarding can't do in any product I can always get RouterA to also NAT SMTP/HTTP but I want to avoid double NATing if I can.



  • Well, outbound usually is not the problem when all routers push traffic to the gateway. The direction is specified.

    It is my understanding that pfSense can only NAT to its own subnets.
    For your pfSense at 192.168.1.0/24 an address in the subnet of 192.168.2.0/24 is out of bounds.
    Maybe opening up the range at the pfSense side to something like 192.168.1.0/16 can help here. That's what I would try

    Please, someone with deeper knowledge chime in here! …



  • Forget it - got it working. :)

    When you create a normal "Port Forward" rule (as in to a server in the subnet hanging directly off pfsense (192.168.1.128 in my example)) and have "Auto-add a firewall rule to permit traffic through this NAT rule" ticked, it does what it says it will do and auto-creates a "WAN" Firewall Rule to 192.168.1.128 as well. It is a combination of the "Port Forwarding" rule directing packets and the "Firewall Rule" allowing packets that lets it work.

    However when creating a "port forwarding" rule to a server in a subnet not directly off pfsense (i.e. 192.168.2.128) the auto-created "WAN Firewall Rule" is not enough.

    Turns out you also need a manually created a "WAN Firewall Rule" to RouterA as well!

    So in my SMTP example I have:

    1. A Port Forward rule for SMTP to 192.168.2.128.

    2. The auto-created "WAN Firewall Rule" allowing SMTP to 192.168.2.128.

    3. A manually created "WAN Firewall Rule" allowing SMTP to RouterA (in my case 192.168.1.253 (with pfsense being 192.168.1.254))

    4. Alternately I could have created a "ANY" rather than SMTP "WAN Firewall Rule" to RouterA so when I come to do a HTTP Port Forward the "auto-created" "WAN Firewall Rule" will be enough!

    In the end this seems obvious. Maybe pfsense could pop up a dialog if you create a "port forward rule" to a subnet not directly hanging off pfsense - stating more firewall rules may be needed.

    However as is pfsense is really good.



  • Oh sorry - jahonix aka Chris - thanks for your quick responce. It was only becouse I had to explain my case to you that I figured out what was wrong.

    PS

    Just to complete the picture a email server in the third subnet 192.168.3.128 also works (with only 1 extra manual WAN firewall rule to RouterA - seems pfsense does not care about RouterB - only RouterA (as it has a IP in subnet directly hanging off pfsense I guess)).



  • @SecureMe:

    However when creating a "port forwarding" rule to a server in a subnet not directly off pfsense (i.e. 192.168.2.128) the auto-created "WAN Firewall Rule" is not enough.

    Turns out you also need a manually created a "WAN Firewall Rule" to RouterA as well!

    This isn't necessary. I'm doing something exactly like you describe with multiple subnets behind a router on pfsense's LAN and have no such rules.



  • @cmb:

    This isn't necessary. I'm doing something exactly like you describe with multiple subnets behind a router on pfsense's LAN and have no such rules.

    CMB - can't doubt someone with your status but what I can do is tell what is happening in my case.

    A) As per what I thought was the solution, I now have a happily working email server in a subnet not directly attached to pfsense.
    B) I disable or delete the manual "WAN Firewall Rule" to RouterA and it stops working (can't open a "telnet pfsense-wan-ip 25" or anything). At this point rules 1) and 2) in my above post are still there.
    C) I enable or add the "manual" rule back in and it works again.

    So obviously there must be something else I am not doing right elsewhere that meant I had to add this rule in to get it to work - any ideas?



  • Chris Buechler, could you please clarify this to me?
    Just to get my networking knowledge straight, who has to NAT to which destination?

    Thanks for your time.



  • Hi Chris. Not 100% sure what you are after so I will just give more exact details of my situation. I hope somewhere in here you get what you are after.

    Simple answer - pfSense has to "PortForward" packets targeted at my WAN Interface to servers I have on my LAN - simple!

    Issue is the LAN is not the LAN as defined as "LAN" in pfSense (shall we call the LAN off pfsense: pfSense_LAN). The only way pfSense knows about this other LAN (shall be call it Server_LAN) is via a manually entered "Static Route" in pfSense.

    Some IPs to illustrate the answer - pfSense only has two NICs in this question. Say WAN interface is 69.64.6.13 and LAN is 192.168.1.254 servicing 192.168.1.0/24 (or as defined above "pfSense_LAN") - again very simple!

    On this LAN there is also a internal un-firewalled router @ 192.168.1.253 with a second interface of 192.168.2.253 that services subnet 192.168.2.0/24 (or "Server_LAN"). This router (RouterA) has a default route to pfSense (i.e. 192.168.1.254). pfSense knows how to get to 192.168.2.0/24 because I have entered a static route to 192.168.2.0/24 via 192.168.1.253.

    So simply:

    pfSense WAN IP = 69.64.6.13
    pfSense LAN IP = 192.168.1.254/24
    pfSense Static route 192.168.2.0/24 via 192.168.1.253

    That is about the extent of the pfSense config (i.e rest default). There are obviously "LAN Firewall Rules" allowing DNS, web browsing and SMTP out. The rules cover both 192.168.1.0/24 and 192.168.2.0/24 and always just worked (i.e the NATing per say just worked, even for 192.168.2.0/24).

    RouterA NIC1 IP = 192.168.1.253/24
    RouterA NIC2 IP = 192.168.2.253/24
    RouterA default route 192.168.1.254

    So taking my SMTP example, traffic flow goes something like:

    Email Packet directed at port 25 on IP 69.64.6.13 –> 69.64.6.13 on pfSense || pfSense lookup of Portforward rule for port 25 = 192.168.2.128 || pfSense static routing says 192.168.2.128 can be found off router 192.168.1.253 || pfSense NIC 192.168.1.254 –> Port 25 on 192.168.1.253 on RouterA || RouterA @ 192.168.2.253 –> Port 25 on 192.168.2.128 || mail service on server.

    Now when I just entered in the "PortForwarding" rule in pfSense for mail to be re-directed to 192.168.2.128 it simply did not work. Note creating this rule in pfsense actually creates two rules in pfsense (if you have the tick box selected).

    1. A Port Forward rule for traffic arriving on port 25 on 69.64.6.13 to be redirected to 192.168.2.128.
    2. The auto-created "WAN Firewall Rule" allowing any traffic to port 25 @ 192.168.2.128.

    As I say for me this did not work. Apparently it should and hopefully "cmb" or someone can explain how.

    For me however I had to manually create another "WAN Firewall" rule to get it to work:

    1. A manually created "WAN Firewall Rule" allowing traffic from pfSense to port 25 on RouterA (192.168.1.253).

    How I came up with the rule was, if you look at my traffic flow wording above:

    …253 || pfSense NIC 192.168.1.254 --> Port 25 on 192.168.1.253 on RouterA || RouterA...

    I realized there was no rule allowing this and that is what the manual rule does.

    So Chris - have I made it more confusing?

    Jason



  • @SecureMe:

    …via a manually entered "Static Route" in pfSense...

    So Chris - have I made it more confusing?

    Oh boy, I was busy recently. Didn't realize that I was that far off the track…
    Of course, a static route in pfSense makes perfectly sense and is the missing brick I was looking for.

    Thanks Jason for your rather long explanation! Even I got it now.

    I shut up now and and have some sleep...  :-X


Log in to reply