Problem with host in DMZ and NAT

larryG

Hi, my knowledge of NAT and networking is preety good but here I'm really out of ideas how to reach my https server from outside WAN interface. Here ar ethe settings:
WAN if -> static 192.168.179.21/32. GW is a VDSL router with the public IP(guest interface). Acts as GW 192.168.179.1
LAN if -> static 192.168.111.111/25. GW is 192.168.111.50 which is the same VSDL Box.
DMZ if -> static 192.168.2.1/24. The https server has 192.168.2.2 and ports 80, 443, 22 open. No firewall on it.

My Rules:

Firewall Rule:
Proto Source Port Destination         Port               Gateway
TCP        *        * 192.168.2.2 443 (HTTPS)      *
NAT Portforwarding:
IF WAN
Protocol TCP
Source Address *
Source Port 12555
Destination ANY
Destination port 443
NAT IP : 192.168.2.2
NAT port 443
Description https server

Outbound manual NAT:
Interface Source        Source Port Destination Destination Port NAT Address NAT Port Static Port
WAN   192.168.2.2/32 *                *        443                *                *        YES

Strange is that I'm unable to connect neither to the port 443 nor 12555. My tcpdump on testing host shows only syn, but nothing else.
What I'm doing wrong here?
Any help would be apreciate!

pf version 2.0.2-RELEASE (i386)

johnpoz

So your LAN is in the same physical network as your WAN?? ( GW is 192.168.111.50 which is the same VSDL Box._..  And your WAN is behind a NAT.. You normally would never give a lan interface a GW..

And you have a source port of Source Port 12555??  So you think someone wanting to talk to your server is ONLY going to come from a port of Source Port 12555??  Where did you come up with that as your source?  Source port is 99.99 of the time ANY..

And why would you create an OUTBOUND nat to dest of 443?

What I would do is start over!  If at all possible set your vdsl router to bridge mode so that your pfsense wan actually gets a public IP.  Your lan would be in its own private network and not have a gateway behind pfsense, and really 111.111/25 thats a pretty odd address to come up with??

Then create your nat to your dmz, let it auto create the firewall rule.  And let your outbound nats be automatic..

Port forwards should take you like 2 seconds to create and be working.  Click done is how simple it is!

larryG

OK, thanks for this. The setup brand new, different IF's and IP's:
 WAN (wan)              -> vr1        -> 192.168.179.20/GW:192.168.179.1
 LAN (lan)                 -> vr0        -> 10.0.0.5/GW:10.0.0.1
 DMZ (opt1)              -> vr2        -> 192.168.2.1
The https server has 192.168.2.2/24
When I'm trying to get https page from 192.168.172.xx client host the same problem. Lot of syn's but nothing else. Automatic NAT, no manual NAT rules this time. See the rules: