NAT port forwarding dilemna from pfsense noob
-
Let me reassure everyone reading this message that I have searched and searched this site and many others before I posted this question.
I am currently trying to migrate my firewall/gateway services away from a SNAPgear (now Cyberguard–I think) SME550 to a old PC running pfsense.
Here's my current setup...
On the WAN side coming from my ISP I have 5 static IP addresses XX.XX.XX.34 --> XX.XX.XX.38 with a subnet mask of 255.255.255.248
On my LAN side I have 192.168.XX.1 --> 192.168.XX.254. My SNAPgear box is currently at 192.168.XX.1 on the LAN side and running DHCP for my local network. The outside address is XX.XX.XX.34. It is currently acting as the gateway to the internet for the local network. I also have NAT port forwarding rules (called "Destination NAT") to route port 80 packets coming in on an aliased WAN port of XX.XX.XX.37 to allow outside access to a WIN2K server at 192.168.XX.10. All in all the setup SEEMED to be very similar to the way it is set up on the pfsense interface.
I have a PC running pfsense with 2 NIC interfaces (1 WAN / 1 LAN) running as a test configuration platform (I want to make sure everything works before I pull the plug on the SNAPgear device!). The WAN is set at XX.XX.XX.37/29 and the LAN is at 192.168.XX.2. When I am inside the firewall, and I change an inside client to use 192.168.XX.2 as the router/gateway, I have no problems getting out to the internet. I also have succeeded in setting up the pfsense box as a PPTP server and can connect to it from the outside without a hitch.
Now, when I try to setup a Virtual IP for my unused WAN static IP of XX.XX.XX.38 (Proxy ARP) and setup an NAT port forwarding rule to give outside access to port 80 of the WIN2K server (192.168.XX.10) from XX.XX.XX.38, it fails. I have checked the rules created by the NAT rule and they seem to be correct. I've tweaked this and disabled that without success. No matter what I seem to try, I go to my browser on the outside, punch in "http://XX.XX.XX.38" and get timed out.
Am I going about this all wrong? I took what I know to work from the SNAPgear and applied it to the pfsense config without success. All I need to do is get this one thing working and I can start using pfsense and ditch the SNAPgear box.
I've looked all over the forums, pfsense doc site, monowall documentation. HELP!
-
I might be wrong here but isn't .38 your broadcast address?
-
So you've a network of x.x.x.32/28? Network address of .32 and broadcast of .39.
You may be getting tripped up by routing. The outbound packets from the Win2K host will probably go out on the .34 address but incoming packets are for the .38 address. I'm pretty sure this has come up before in this forum, but I may be wrong.
-
Here's what my ISP shows as my block of addresses:
Number of Public IP Address Blocks: 5
Public IP Address Range: XX.XX.XX.34 to XX.XX.XX.38
Subnet Mask IP Address: 255.255.255.248
Default Gateway IP Address: XX.XX.XX.33
Shouldn't my broadcast be XX.XX.XX.39?
So, if I'm correct, my block is XX.XX.XX.33/29
That should allow me to use XX.XX.XX.38 for the inside address of 192.168.XX.10. Right?
-
Correct, but see my comment on routing issues.
-
I just read my original message and realized that I may have been too vague about the routing.
My SNAPgear router has an outside of XX.XX.XX.34. I established a WAN alias (which is the same as Virtual IP in pfsense) on the SNAPgear device for XX.XX.XX.37 which forwards all port 80 requests to an inside host (192.168.XX.10).
Also for the sake of clarification, there is nothing setup on 192.68.XX.10 regarding the outside world or the SNAPgear device. As far as it's concerned, it's receiving outside requests the same as it does for the inside.
Hope I'm communicating this well enough, and thanks for the replies!
-
At this point a diagram, with IP Addresses, is required.
It would also be useful to know what default gateway the 192.168.x.10 host has set.
-
First off, let me change my subject line for this post to "NAT port forwarding stupidity from no common sense BOOB".
Cry Havok patiently asked me what the default gateway was for 192.168.XX.10.
The answer? THE WRONG ONE. It was set for 192.168.XX.1!!! Upon changing it to 192.168.XX.2 (the LAN for my pfsense box), everything worked just like it's supposed to.
I should be embarrassed (and I am). ::)
Thanks to all who replied, especially Cry Havok, who helped me trip over the obvious! It's always the little things…
