Port forwards from secondary double NAT gateway not working.

kathampy

@kejianshi:

OK - Good.  I'm glad it works for you, but I can't understand why it would work.
I understand 2 WAN or more > pfsense and lots of options.
I don't understand 1 WAN > pfsense > 2 LANS and 1 of those LANs into a switch attached to a switch thats attached to the LAN side of another modem.

I'll watch to see what some of the more knowledgeable people come up with.  I couldn't make that work.

It won't work unless you manually define outbound NAT rules. pfSense will NOT create outbound NAT rules if you simply set a gateway on LAN2. The rule should also exclude LAN1 to LAN2 traffic from being NATed.

kejianshi

I'm not arguing - I'm watching.
Ill be shocked and amazed if it works, but if it does I'll have learned something new.
Looks like phil.davis has done this before, so you are in luck.  I'll just watch and learn.

phil.davis

It won't work unless you manually define outbound NAT rules. pfSense will NOT create outbound NAT rules if you simply set a gateway on LAN2.

Correct - basically when you add a gateway to an interface, pfSense treats that as a WAN for the purpose of generating automatic goodies - so if you give (what happens to be called) LAN2 a gateway, then I expect the automatic outbound NAT will make outbound NAT rules from LAN to WAN and LAN to LAN2 (treating LAN2 as another WAN). But it won't be able to 2nd-guess you and make outbound NAT rules from LAN2 to anywhere.
As KurianOfBorg says, once you get the necessary manual outbound NAT rules defined, all the outbound client connections work fine.
But I am struggling to think what might be happening to the incoming port forwards. If I get a chance I'll try it out on my Alix at home, I have 2 ISPs, 3 physical ports and can make ordinary LAN, primary wired ISP on WAN and a "LWAN2" that has other clients and a way out to the internet via a 2nd ISP on a NATd 3G device.

kathampy

@kejianshi:

I'm not arguing - I'm watching.
Ill be shocked and amazed if it works, but if it does I'll have learned something new.
Looks like phil.davis has done this before, so you are in luck.  I'll just watch and learn.

Another interesting fact is at the remote location, if I don't use a NAT router and use a remote PC with a public IP address instead, I am able to connect to the port forwards on LAN2GW and the response packets are coming from WAN's public IP address! You'd think the socket implementation on the OS would see the tuple is mismatched but the return packets are still arriving via a different route. A NAT router at the remote location would discard these packets, but Windows with a public IP address is not.

kejianshi

This is interesting to me, assuming you get it to work, because someone was before trying to do something else I didn't think was very probable.  Trying to run a Openvpn server at end 1.  Send a vpn client config to end 2.  Then have pfsense on end 1 be able to grab an IP at end 2 and NAT that public IP to all computers attached to pfsense at end 1 such that those computers at end 1 were surfing the web using end 2's public IP.  (VPN in reverse)

As I said, I don't understand how this will work not having done it, but as with your scenario my first thought is "that shouldn't work".
But, I'm wrong abit, so if it does work thats cool.  I'll have learned something.

kathampy

@phil.davis:

As KurianOfBorg says, once you get the necessary manual outbound NAT rules defined, all the outbound client connections work fine.
But I am struggling to think what might be happening to the incoming port forwards.

Actually, servers do not even need any kind of outbound firewall rules. Simply forwarding a port from any WAN* interface to a LAN server will allow the server to communicate with the remote client. This works fine if I configure two interfaces WAN1 and WAN2 with public IP addresses. I am able to connect remotely through a WAN2 port forward even though WAN1 is the default gateway and even when there are no outbound firewall rules at all. Only the outbound NAT rule for WAN2 is required.

This fails when WAN2 is a double NAT (in my case the LAN2 interface with LAN2GW manually set).

Can you show me your port forward rule and the associated firewall rule and maybe the outbound NAT rule as well? Did you have to set the gateway explicitly on the associated firewall rule? I am not able to get this working even for local services on pfSense's LAN2 address where the only port forward is on the NAT modem to pfSense's LAN2 address.

kathampy

I found the problem. Even though the inbound rules were defined on the LAN2 interface, the responses were using the policy based routing rule on my LAN interface group rule for "*** to * through WAN gateway**". The associated firewall rules on LAN2 from the NAT port forward were not being used at all. I changed the LAN interface group rule to "LAN1/LAN2 to * through WAN gateway" so that it doesn't match the packets being forwarded by the NAT modem.

Now I am able to port forward to both pfSense as well as to LAN1 servers from the NAT modem on LAN2.