NAT not working correctly…maybe

  • I have a https-only apache2 light duty utility server setup behind pfsense 2.1-release amd64 in ESXi 5.5. The server seems to be working 100% for machines behind pfsense. We need some remote access, so I set up a NAT rule:

    WAN(TCP):[port] –> [server]:443

    and the appropriate firewall rule was generated automatically by pfsense when the NAT rule was created. However no matter which WAN port I choose I am not getting a response from the server on the WAN side.

    External port scanners report that each port I have tried has not been opened. From my understanding, any port that is forwarded to an open port on another machine should be read as open. Therefore NAT must not be working correctly. However I have other forwarded ports and they are working fine. I have tried (none have been successful):

    -Forwarding to (server):80 since I have http forwarded to https.
    -Several different ports above 30000. The other ports I have forwarded across our network are in this upper range and are working just fine.
    -Checked the NAT and automatically generated firewall rule for errors, there were none that were obvious to me.

    Perhaps this is related: About a two months ago I was getting errors in the console: "calcru: runtime went backwards from xx usec to x usec for pid x" for several pids, including the kernel. These errors are reminiscent of the old HPET issue with pfsense 2.0 on ESXi, which I know was fixed (source: J. Pingle, pfsense email list). I'm not getting the errors at the moment but perhaps it's a regression, and it's related?

    I am stumped. Any ideas? I certainly understand that I need to learn more about networking (I'm no IT pro, I'm the most tech-savvy grad student in my research lab) so if I'm doing anything particularly stupid here please let me know.

    Edited: for clarity.

  • LAYER 8 Global Moderator

    And you sure your https server doesn't have a firewall blocking your access from outside its own network?  This is quite often the case.

    You sure your isp allows the ports your trying to forward?  Why would you not be forwarding 443 to 443?  You just list [port]

    Simple 2 second test, sniff on your wan – do you see the traffic come inbound say from your scan or someone outside your network trying to access?  If you see the traffic, do you see it leave the lan interface to your https server?

Log in to reply