Can't get multi-network NAT port forwarding to work



  • I have a small network behind a pfSense (2.0) box, installed on a VMWare ESXi 5.5 host. Up until yesterday I had only one internal network, 192.168.0.0/24, and everything worked quite nice. Now, however, I want to introduce another net, 172.16.10.0/24, which will be used for services exposed to the internet. I've set up an additional interface (called OPT1DMZ), and a server on this net. I have also added a NAT rule to forward ssh (port 22) on the WAN interface to the server I set up.

    Sadly, this was not enough to just work. If I try to ssh to my external address, I get a timeout. I've run tcpdump on both the OPT1DMZ interface on the pfSense box, and the interface on the server. I can see that traffic arrives properly to the server, but I don't see the server responding with any outbound traffic.

    Initially I thought I was missing some firewall rule to allow outbound from OPT1DMZ, but that doesn't seem to matter - I even added a pass-all-to-everywhere rule with logging turned on, but it doesn't turn up anything in the logs.

    I'm uncertain where to continue looking. If I try to do pings to anything not on the 172.16.10-net I just get 100% package loss (ie, not Destination not reachable). My routing table on the server looks like this:

    # route -n
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    0.0.0.0         192.168.0.1     0.0.0.0         UG    2      0        0 enp2s0
    0.0.0.0         172.16.10.1     0.0.0.0         UG    3      0        0 enp2s1
    127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo
    172.16.10.0     0.0.0.0         255.255.255.0   U     0      0        0 enp2s1
    192.168.0.0     0.0.0.0         255.255.255.0   U     2      0        0 enp2s0
    

    That is, enp2s0 is connected to the "first" net as well, for administrative access. Can that be the issue?



  • Update, I did an ifconfig enp2s0 down, and now it is possible to set up an ssh connection. My guess is that it is due to the enp2s0 interface having a lower metric for 0.0.0.0, it will try to send the reply that way. Is this correct? What can I do to remedy this?


Log in to reply