2.0.1 NAT Probleme (wierd one ;) )



  • Hi i'm having an issue with the NAT on a pfSense Box at my office. I'm trying to reach ms-RDP (3389) and VNC (5900) from outside the office to inside on two specific server (as i'm working part of the time from home).

    So first to make you an idea here is the configuration :

    • mulitple WAN with multiple ISP (OVH, FREE, SFR, etc.). Each one have is own modem connected to one interface card in the pfBox (192.168.10.1, 192.168.20.1, … 192.168.70.1)
    • 1 LAN (192.168.0.233 <- this is for historical reason in the enterprise)
    • we have the squid package inside the pfBox (wich is working well btw)
    • loadbalancing AND failover are working.
    • 192.168.0.215 and 192.168.0.250 are the server in trying to reach from outside.

    The modems are configure to see the pfBox as the DMZ. Ex: first modem is configure with the IP 192.168.10.254 and his DMZ is set as 192.168.10.1 (wich is the ip of the interface on the pfBox it is connected on). So we're using the pfBox to filter everything.

    Here is my NAT rules :

    The firewall rules are created by the NAT itself.

    • I can acces my server from within de LAN network without problem so it's not a configuration problem on the server itself.
    • when i connect my server to one of the modem and change the server IP to the DMZ IP of the modem i also can acces it from outside. So it's not a modem config problem.
    • But i can't acces the server from outside when it is on the LAN subnet like on the schema.

    I've turn on the log on the firewall rules but nothing show up, nor pass, nor block.
    When i look at the states i can see this :

    On the interfaces setting page "Private networks" are not block (both uncheck)

    I try to configure NAT to acces de pfBox itself from outside for testing (i'll disable this after it work) so i create a rule to redirect :8081 to 192.168.0.233:8081. It's not working. change that to redirect 127.0.0.1:8081 and it's working.

    I've try to NAT on each WAN and it's the same each time -> NOT WORKING. It's as if anything comming from the WAN can't acces the LAN.

    The thing is, it had work, I was using the setting last year and it was fine. I didn't use it for quite some time because i was working on other location and when i come back at this one it wasn't working anymore.
    I have check all the setting i can think of but nothing seem to make it work.
    One probleme is i can't do heavy reconfiguration/reset on the pfBox has it's needed 24/7. I can do this but if i have to cut internet i have to warn everyone 24h before.

    If anyone have an idea of how i can solve this, big thank.

    Ps. we have another office with similar setting but it's working perfectly fine there.



  • @Tochaga:

    I've turn on the log on the firewall rules but nothing show up, nor pass, nor block.

    This means that some other rule is catching it (check rules above and floating as well)



  • Thanks for the response but it's not this.
    Ther is only 2 floating rules (one for dns on port 53 and one for HTTP on port 80)
    I've also clean all NAT rules and recreate the 3 from scratch but still not working.

    I have to say i've run out of idea to solve this.



  • It should work, just saw the screenshot for the states:
    No or wrong default gateway set on the server?

    Otherwise I'd say, do a packet capture on the LAN of pfSense while testing, you should see what's happening.



  • The pfsense have a defaut gateway set.
    The serveur i'm trying to reach use the pfsense lan IP (192.168.0.233) as gateway and dns, like everything behind the pfSense set by the DHCP on the LAN interface. I have acces to internet from any computer on the LAN subnet.

    Packet capture on the LAN give me this when i try to reach port 3389 from outside
    20:49:37.470757 IP 82.230.xx.xx.3580 > 192.168.0.215.3389: tcp 0
    20:49:37.471012 IP 192.168.0.215.3389 > 82.230.xx.xx.3580: tcp 0
    20:49:40.495602 IP 82.230.xx.xx.3580 > 192.168.0.215.3389: tcp 0
    20:49:41.898936 IP 192.168.0.215.3389 > 82.230.xx.xx.3580: tcp 0
    20:49:46.491187 IP 82.230.xx.xx.3580 > 192.168.0.215.3389: tcp 0
    20:49:50.550320 IP 192.168.0.215.3389 > 82.230.xx.xx.3580: tcp 0

    And yes the serveur (0.215) is running well, i can acces it from the lan subnet.
    Thanks for trying to help.


Log in to reply