Private address showing up as destination
-
Hello,
I'm noticing that my firewall log is sometimes showing my private LAN IP's as a destination when the request came from the WAN interface. I'm using 1:1 NAT so I would expect to see the public IP associated to that internal IP. Here is an example:
May 7 14:00:49 WAN Default deny rule IPv4 (1000000103) 199.188.67.167:56832 172.16.2.86:135 TCP:S
What am I missing?
Thanks ahead of time.
-
NAT happens before the firewall. So the IP address is being translated then the firewall says port 135 is blocked.
That's why you have to put the real IP address of the server in the pass rules, not the WAN address.
-
Thanks for the response!
Ok that totally makes sense.
Thanks again.
-
NAT happens before the firewall. So the IP address is being translated then the firewall says port 135 is blocked.
That's why you have to put the real IP address of the server in the pass rules, not the WAN address.
That line, exactly how you wrote it should be in an FAQ.
-
where exactly do you think it should go - the firewall processing order is already documented
https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order
More accurately, the following order (still simplified) is found in the ruleset (Check /tmp/rules.debug):Outbound NAT rules
Inbound NAT rules such as Port Forwards (including rdr pass and UPnP)
NAT rules for the Load Balancing daemon (relayd)
Rules dynamically received from RADIUS for OpenVPN and IPsec clients
Internal automatic rules (pass and block for various items like lockout, snort, DHCP, etc.)
User-defined rules:
Rules defined on the floating tab
Rules defined on interface group tabs (Including OpenVPN)
Rules defined on interface tabs (WAN, LAN, OPTx, etc)
Automatic VPN rules -
Not the order, this part
That's why you have to put the real IP address of the server in the pass rules, not the WAN address.
-
Its already in there where it says
Inbound NAT rules such as Port Forwards (including rdr pass and UPnP)Before the the other rules.
-
I did say in an FAQ. It much clarifies it.
I had to read up on NAT to understand it myself when I initially setup my firewall, having it in the FAQ would have made it much easier to understand. -
A FAQ for this forum is desperately needed.
![Screen Shot 2015-05-21 at 2.50.50 PM.png](/public/imported_attachments/1/Screen Shot 2015-05-21 at 2.50.50 PM.png)
![Screen Shot 2015-05-21 at 2.50.50 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-05-21 at 2.50.50 PM.png_thumb)