New to pfsense



  • Hi

    I am New to pfsense and so far I really like it but I do have a small little prob and I hope someone can help me out with it and if this is the worng area for this ? please let me know and Ill move it to the right area anyway here is my prob I have 5 static IP address and as far as that goes it seems to be working ok I have all my port forwarders setup under NAT and got them going to all the right places well it seems to be anyway witch is where the prob some in I run a TeamSpeak server for example  on one of my IP's say its on a Domain (IP) and port as fellow
    mydomain.com or mydomain:9987
    my main TS server will work eather way with or with out the Port but the sec one is
    mydomain.com:2409

    anyway the prob is when some one comes in from the out side  to mydomain.com:9987 they come in with no prob works fine but if I try from internal (local) with the same address mydomain.com or mydomain.com:9987 or even with the outside IP address it Fails but if I use the internal IP (local IP) it will let me in with no prob and it didn't do this until I changed to pfsense so what do I have setup worng ? how can I fix this so I can access my internal stuff like I use toI hope this is clear and I hope U guys understand what I am trying to do thanks

    Sincerely
    tbarlow


  • Netgate Administrator



  • Ok ill try that Im now using the 1:1 tab im using the Firewall: NAT: Port Forward  tab but ill check it out thanks

    tbarlow



  • I did option 1 and it still don't work so ill keep working on it thx for the info

    tbarlow



  • If you have an internal DNS server you can map the DNS name to the local IP there.  I use an internal DNS server and create internal IP addresses for external DNS names.  For example, if I have a host the is blah.example.com and it maps to 100.234.123.1 as a public IP, I'll create an internal address for the same domain name to 10.0.1.2 if that's where it exists on my LAN.  So internally blah.example.com maps to 10.0.1.2 via my internal DNS.

    NAT reflection is a great thing, but I prefer to map internal IPs with an internal DNS server.



  • ok well the weird thing is the prob seems more with ports not the domain's or IP I can't even access my main IP internal or ports and its only some ports like port 80 port 25 port 110 they seem to work but porsts like say 9987 or 2409 they don't internal and if I try to say access my TS server with the out side IP it don't work but if I use the inside ip it does its really weird :(

    tbarlow


  • Netgate Administrator

    Firstly try resetting the firewall states. Diagniostics: States: Reset: or rebooting the box. You may have some remaining states that are by passing reflection.

    Try option 2, split DNS, which is what tim is suggesting.

    Are the port forwards changing the ports? Is the TS server responding on port 9987 internally and externally?

    @tbarlow:

    if I try to say access my TS server with the out side IP it don't work but if I use the inside ip it does its really weird :(

    This is exactly what I would expect to happen when NAT reflection is not enabled. You try to open a connection from an internal machine to your WAN address. The WAN address is not on you local subnet so the machine sends it to its gateway, the pfSense box. The pfSense box sees the destination is the WAN address and routes it accordingly to the WAN interface. It cannot then route it back as well. With NAT reflection enabled pfSense checks its port forwards to see if your connection matches and the routes it accordingly to the correct internal machine instead of the WAN address.

    Steve



  • @stephenw10:

    Firstly try resetting the firewall states. Diagniostics: States: Reset: or rebooting the box. You may have some remaining states that are by passing reflection.

    Try option 2, split DNS, which is what tim is suggesting.

    Are the port forwards changing the ports? Is the TS server responding on port 9987 internally and externally?

    @tbarlow:

    if I try to say access my TS server with the out side IP it don't work but if I use the inside ip it does its really weird :(

    This is exactly what I would expect to happen when NAT reflection is not enabled. You try to open a connection from an internal machine to your WAN address. The WAN address is not on you local subnet so the machine sends it to its gateway, the pfSense box. The pfSense box sees the destination is the WAN address and routes it accordingly to the WAN interface. It cannot then route it back as well. With NAT reflection enabled pfSense checks its port forwards to see if your connection matches and the routes it accordingly to the correct internal machine instead of the WAN address.

    Steve

    Hi Steve

    The info below is unchecked so it is NAT Reflection  is enabled I thought that as well :(  but I will try what else U said and reset my firewall status and I have rebooted my router meany times

    Disable NAT Reflection for port forwards  Disables the automatic creation of additional NAT redirect rules for access to port forwards on your external IP addresses from within your internal networks. Note: Reflection for port forward entries is skipped for ranges larger than 500 ports.

    Sincerely
    tbarlow



  • @stephenw10:

    Firstly try resetting the firewall states. Diagniostics: States: Reset: or rebooting the box. You may have some remaining states that are by passing reflection.

    Try option 2, split DNS, which is what tim is suggesting.

    Are the port forwards changing the ports? Is the TS server responding on port 9987 internally and externally?

    @tbarlow:

    if I try to say access my TS server with the out side IP it don't work but if I use the inside ip it does its really weird :(

    This is exactly what I would expect to happen when NAT reflection is not enabled. You try to open a connection from an internal machine to your WAN address. The WAN address is not on you local subnet so the machine sends it to its gateway, the pfSense box. The pfSense box sees the destination is the WAN address and routes it accordingly to the WAN interface. It cannot then route it back as well. With NAT reflection enabled pfSense checks its port forwards to see if your connection matches and the routes it accordingly to the correct internal machine instead of the WAN address.

    Steve

    Hi Steve Still no go I tried what U said but its still not working these ports just don't want to work what else can I try?

    tbarlow


  • Netgate Administrator

    Try option2: split DNS.

    If you're using the pfSense dns forwarder, you will be unless you've deliberately chosen not to, go to Services: DNS Forwarder:
    Add a domain override for example mydomain.com to point at your internal server.

    Steve



  • @tbarlow:

    Still no go I tried what U said but its still not working these ports just don't want to work what else can I try?

    Does the server need to be configured to allow connections from the Internet?



  • I have noticed the same issues…

    Here is what I have...

    I have a server with a program that ONLY works with IP addresses (Can't use DNS).  The program is setup to point to one of my outside IP addresss.  It works from outside the network, but if I am internal, it doesn't work.

    I have "Disable NAT Reflection for port forwards" unchecked as per the document.  Internal DNS won't help my situation because it requires access by IP Address (not DNS).  It appears that "Disable NAT Reflection for port forwards" unchecked fixes all my HTTP, HTTPS, POP3, SMTP, and DNS issues internally, but doesn't fix the issue on odd ports like 9987 used in this example.

    To re-produce the problem, you can setup either a Telnet, FTP, or HTTP on port 9987 internally and try to access it with your internal IP and it won't work.  Firewall logs show nothing coming in that is being blocked.  So, I am looking for a temporary workaround that I could use to resolve this.

    Does anyone have any suggestions?

    Thanks!



  • @meluvalli:

    I have noticed the same issues…

    Here is what I have...

    I have a server with a program that ONLY works with IP addresses (Can't use DNS).   The program is setup to point to one of my outside IP addresss.   It works from outside the network, but if I am internal, it doesn't work.

    I have "Disable NAT Reflection for port forwards" unchecked as per the document.  Internal DNS won't help my situation because it requires access by IP Address (not DNS).   It appears that "Disable NAT Reflection for port forwards" unchecked fixes all my HTTP, HTTPS, POP3, SMTP, and DNS issues internally, but doesn't fix the issue on odd ports like 9987 used in this example.

    To re-produce the problem, you can setup either a Telnet, FTP, or HTTP on port 9987 internally and try to access it with your internal IP and it won't work.  Firewall logs show nothing coming in that is being blocked.   So, I am looking for a temporary workaround that I could use to resolve this.

    Does anyone have any suggestions?

    Thanks!

    Same Prob here:)



  • Please post screen shots if your Firewall rules.

    Have you tried connecting to the internal machine with its internal IP address?  If you can access your resources internally with their IP addresses, don't beat yourself up if NAT Reflection isn't working properly.  I run internal DNS and don't use NAT Reflection because some of the systems I use and how I use them work more efficiently with internal DNS.



  • Hi Tim.

    Unfortunately, using DNS will not work.  Once again, the program is hard coded in as an IP address.  I can't change this.  So, I need to figure out why just higher ports don't work with NAT reflection.  NAT reflection works great for lower ports such as HTTP (80), HTTPS (443), SMTP (25), POP3 (110), and FTP (21).  Just isn't working for higher ports.  This isn't a firewall issue.  This is a NAT Reflection glitch.  My question is, is there a way around this?

    Thanks


  • Netgate Administrator

    @meluvalli:

    To re-produce the problem, you can setup either a Telnet, FTP, or HTTP on port 9987 internally and try to access it with your internal IP and it won't work.

    I think you must have left something out here because I am absolutely confident that if I setup up a web server on my internal network that runs on port 9987 and then tried to access it directly from the same network at http://192.168.1.34:9987 it would work.

    Presumably it's the client half of your program that can only use IPs directly?

    One thing that occurs to me is that the server program itself may be configured to always use an external gateway of some sort such that it is unable to route back to internal address.

    Steve



  • Hi Steve..   Sorry, maybe I didn't make it real clear.  I am using my external address to access it.  So, with your same test, lets say your external IP address is 60.54.1.23…   From internal on another client, you would want to access http://60.54.1.23:9987 and it will fail.

    Also note, that it works fine if you are outside your internal network.  This is why I am thinking it is not a firewall issue as it works from outside the network!

    Thank you.



  • Forgive me for not completely understanding, but you have a server that lives on your internal network with a local (internal) IP address.  And you have clients that access that server with a hard-coded IP address and port using an external IP address.  And you cannot change the IP address of these clients or any other networking information?  Seems odd that in this day and age people would set something up like that, but that's IMHO.

    If you want to host a Teamspeak server internally and make it accessible from internal and external IP addresses, I can help you with that.  I've done that countless times, and I authored the "How To" post in the forums for Mac users.


  • Netgate Administrator

    Ah, OK.
    I agree with Tim that not being able to use a URL instead of an IP seems quite archaic.  ;)
    You could setup a manual port forward for that on the LAN interface. I don't know why NAT reflection wouldn't take care of that for you though. You can specifically disable it for each port forward, I assume you haven't done that?

    Steve




  • @stephenw10:

    Ah, OK.
    I agree with Tim that not being able to use a URL instead of an IP seems quite archaic.  ;)
    You could setup a manual port forward for that on the LAN interface. I don't know why NAT reflection wouldn't take care of that for you though. You can specifically disable it for each port forward, I assume you haven't done that?

    Steve

    No.  I haven't done that.

    As far as creating a forward on the LAN side, I have tried putting in the NAT Port Forward rule as you show in your example.  This also didn't solve the problem :(   I even tried setting "NAT Reflection" in the rule to "enable" and still nothing :(  Any other recommendations?  By looking at that, it really seems like it would work :(…

    Thanks for all your help!




  • @tim.mcmanus:

    Forgive me for not completely understanding, but you have a server that lives on your internal network with a local (internal) IP address.  And you have clients that access that server with a hard-coded IP address and port using an external IP address.  And you cannot change the IP address of these clients or any other networking information?  Seems odd that in this day and age people would set something up like that, but that's IMHO.

    If you want to host a Teamspeak server internally and make it accessible from internal and external IP addresses, I can help you with that.  I've done that countless times, and I authored the "How To" post in the forums for Mac users.

    TS is not a prob I can use the internal IP and port for it I can even use internal DNS as someone said above option 2 split DNS that file for the TS prob, the prob is I am working on a project that has to use the out side IP DNS is not an option and the IP is hard coded into the client exe file witch is used both inside and outside my network but I will also like to know Y only the higher IP's are giving me prob 25,110,443,80 they all seem to work for the most part anyway even if someone has a work around I will be fine with that just let me know I am working on 2 projects 1 I have no control over it can't use DNS local but the second one I might I will check into it and see what I can do since I have full control over it i'll see what I can do thanks

    Sincerely
    tbarlow



  • This thread might help; long shot though.  http://forum.pfsense.org/index.php/topic,61201.0.html

    Can you post your NAT and Firewall rules?  Screen shots will speak volumes.


  • Netgate Administrator

    I think that option (in the linked thread) only applies to 1:1 NAT. It's interesting though.

    Steve



  • Hi Steve.

    Did you happen to see my screenshot?  Did it look like I was doing that correctly?  Because it didn't work either :(

    Any other thoughts?


  • Netgate Administrator

    Hmm, I'm not sure if you should have NAT reflection enabled on that internal port forward or not.  :-
    With changes like this, especially if you have already been trying various connections, you may have to clear the state table to force the new rules to take effect.

    Steve



  • Steve - I cleared state and no change :(

    After I cleared state and tried again, I looked in state to see what it says for that port.  I am attaching that.

    Do we have any other recommendations??? :(

    Thanks



Log in to reply