SOLVED: VIP reachable from OPT1 but not from LAN via OPT1-adress



  • Hi there,

    I'm currently setting up a new firewall with pfsense to replace the old one.

    I have the following setup:

    WAN –---------|
                          |-----------------LAN
    OPT1----------

    fxp0 = LAN = 10.0.0.1
    ste0 = WAN = 10.0.10.10, Gateway 10.0.10.1
    ste1 = OPT1 = 10.0.20.10

    The VIP is 10.0.20.20 which is nated to 10.0.0.254, where a webserver is running on port 80.

    If I'm doing "telnet 10.0.20.20 80" on a host within the OPT1 net it's getting a connection to the webserver. If I'm doing "telnet 10.0.0.254" from a host within LAN I also get a connection.
    The problem starts when I try to connect from LAN to 10.0.20.20 since no data reaches the host behind 10.0.20.20. I ran wireshark on it and in this case no data was received at all.

    NAT:
    OPT1  TCP  80(HTTP)  10.0.0.254(ext. 10.0.20.20)  80(HTTP)

    Firewall rules:

    LAN
    Pass  *  Lan net  *  *  *  *

    WAN
    Block  *  RFC1918 networks  *  *  *  *

    OPT1
    Pass  TCP  *  *  10.0.0.254  80(HTTP)  *

    One more weird thing is, that if I ty to connect from LAN via the VIP, the firewall logs that the access was permitted and I can't find any log (currently logging for alle rules is enabled), which says, that the answer was blocked. Even though wireshark on 10.0.0.254 doesn't log any incoming or outgoing data from or to 10.0.20.10.

    From my point of view my setup should be correct. Maybe I think wrong, but that was the idea:

    "telnet 10.0.20.20 80" from 10.0.0.x:
    10.0.0.x -> 10.0.20.10 -> 10.0.20.20 -(dnat)-> 10.0.0.254 -(snat)-> 10.0.20.20 -> 10.0.20.10 -> 10.0.0.x (happy)

    Since everything is happening on OPT1-adresses the WAN-Interface shouldn't be involved at all (I think of wrong routing).

    One more thing I realized was, that a traceroute from pfsense to the VIP fails.

    Maybe one of you can tell me, how I can get this done. If you need more information, just ask.

    Greetings,
    D.

    Edit:
    Here's the routing table
    default 10.0.10.1 UGS 0 1 1500 ste0
    127.0.0.1 127.0.0.1 UH 0 8 16384 lo0
    10.0.0 link#5 UC 0 1 1500 fxp0
    10.0.0.3 00:04:76:9e:83:6a UHLW 1 2985 1500 fxp0 1200
    10.0.20 link#2 UC 0 11 1500 ste1
    10.0.20.20 link#2 UHLW 1 0 1500 ste1
    10.0.10.0/24 link#1 UC 0 0 1500 ste0
    10.0.10.1 00:1c:58:ee:dd:44 UHLW 2 10 1500 ste0 1168

    And I found the following within "states" when trying to connect from LAN via telnet to the VIP:
    tcp  10.0.20.20:80 <- 10.0.0.3:51331  CLOSED:SYN_SENT
    tcp 10.0.0.3:51331 -> 10.0.20.20:80 SYN_SENT:CLOSED

    10.0.0.3 is the client I'm doing the connect from.

    Solution: After disabling "Disable NAT Reflection" under "System -> Advanced" it finally worked  :D


Locked