Port Forward to Web Server Troubleshooting



  • Hi,

    I am trying to troubleshoot a problem with my NAT config. I am port forwarding traffic on port 80 to my web server.  NAT Reflection is on and internally I can access the website. Externally only SOME traffic can access the site. I have turned on logging for the port 80 FW rule and I do see some traffic pass. My co-worker on cellular network was able to access the site but I can not (both ATT network). I also tried from http://downforeveryoneorjustme.com/ and it returned a down status. I ran a packet capture while testing and I can see the traffic on the WAN.

    14:04:32.208766 IP 50.97.161.229.80 > 173.160.166.49.41273: tcp 0
    14:04:35.172237 IP 50.97.161.229.80 > 173.160.166.49.41273: tcp 1448
    14:04:35.172435 IP 50.97.161.229.80 > 173.160.166.49.41273: tcp 134
    14:04:35.172920 IP 173.160.166.49.41273 > 50.97.161.229.80: tcp 0
    14:04:35.284725 IP 173.160.166.49.41273 > 50.97.161.229.80: tcp 653
    14:04:35.344196 IP 50.97.161.229.80 > 173.160.166.49.41273: tcp 0
    14:04:35.345141 IP 50.97.161.229.80 > 173.160.166.49.41273: tcp 1448
    14:04:35.345369 IP 50.97.161.229.80 > 173.160.166.49.41273: tcp 177
    14:04:35.345715 IP 173.160.166.49.41273 > 50.97.161.229.80: tcp 0

    But the system:firewall logs does not show this (above) traffic - either Pass or Block. The Pass was logged for my co-workers cellular network connection. I also checked the web server log and there no requests from 50.97.161.229.

    FYI - this is a new server install. Some of the port forwards are working, such as SMTP, but several are not.

    Attached are my Virtual IP, NAT and firewall settings.

    Can anyone with a fresh set of eyes see if I am doing something wrong? Thanks in advance.

    -Andrew








  • @ahking19:

    14:04:32.208766 IP 50.97.161.229.80 > 173.160.166.49.41273: tcp 0
    14:04:35.172237 IP 50.97.161.229.80 > 173.160.166.49.41273: tcp 1448
    14:04:35.172435 IP 50.97.161.229.80 > 173.160.166.49.41273: tcp 134
    14:04:35.172920 IP 173.160.166.49.41273 > 50.97.161.229.80: tcp 0
    14:04:35.284725 IP 173.160.166.49.41273 > 50.97.161.229.80: tcp 653
    14:04:35.344196 IP 50.97.161.229.80 > 173.160.166.49.41273: tcp 0
    14:04:35.345141 IP 50.97.161.229.80 > 173.160.166.49.41273: tcp 1448
    14:04:35.345369 IP 50.97.161.229.80 > 173.160.166.49.41273: tcp 177
    14:04:35.345715 IP 173.160.166.49.41273 > 50.97.161.229.80: tcp 0

    But the system:firewall logs does not show this (above) traffic - either Pass or Block. The Pass was logged for my co-workers cellular network connection. I also checked the web server log and there no requests from 50.97.161.229.

    Who is 50.97.161.229??

    The packet capture above shows access to 50.97.161.229 at port 80. So it seems 50.97.161.229 is the server and 173.160.166.49 is the client who access a web page at 50.97.161.229.

    BTW: Why have you forwarded RDP while you have a OpenVPN setup?



  • Who is 50.97.161.229??<<

    External website I was using to test.

    Traffic from this address is trying to reach a website at 173.160.166.53, which is Virtual IP. 173.160.166.49 is the WAN interface of the pfsense box.

    The capture shows the traffic reaches the WAN interface but it doesn't get to the private NAT address of the webserver.

    BTW: Why have you forwarded RDP while you have a OpenVPN setup?<<

    Legacy. If I can get pfsense configured correctly and clients rolled over to OpenVPN I can then drop the RDP rules.



  • @ahking19:

    Who is 50.97.161.229??<<

    External website I was using to test.

    Traffic from this address is trying to reach a website at 173.160.166.53, which is Virtual IP. 173.160.166.49 is the WAN interface of the pfsense box.

    The capture shows the traffic reaches the WAN interface but it doesn't get to the private NAT address of the webserver.

    No, the capture shows packet from 173.160.166.49 accessing 50.97.161.229 at port 80/http. That's what I don't understand.
    So maybe a host inside your LAN is accessing a website at 50.97.161.229, outbound NAT will translate the source address to the WAN address.

    If a webaddress is accessing your external virtual IP packet capture shows your VIP not the WAN IP.



  • So maybe a host inside your LAN is accessing a website at 50.97.161.229, outbound NAT will translate the source address to the WAN address.<<

    I think your were right, the traffic was from inside host.

    I did some testing from home where my IP is 50.46.159.93 and ran some pings to my IPs.

    173.160.166.49 - pfsense
    173.160.166.51 - VIP
    173.160.166.53 - VIP
    173.160.166.54 - VIP

    in the packet trace I can see the ping to .49 & .51 but none of my other VIPs.  I can also see .49 & .51 in the firewall rule log.

    Is it something in the way I created the VIPs?  They were all created the same but .51 was created first and is first in list.

    type = ip alias
    interface = wan
    ip address - 173.160.166.51/28

    Then I used the VIP in the NAT Port Forward rule.

    I ran ifconfig from shell and the IPs are all listed on the WAN interface

    $ ifconfig
    em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
    options=4209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso>ether 00:30:48:55:c8:2a
    inet6 fe80::230:48ff:fe55:c82a%em0 prefixlen 64 scopeid 0x1
    inet 173.160.166.49 netmask 0xfffffff0 broadcast 173.160.166.63
    inet 173.160.166.51 netmask 0xfffffff0 broadcast 173.160.166.63
    inet 173.160.166.50 netmask 0xfffffff0 broadcast 173.160.166.63
    inet 173.160.166.52 netmask 0xfffffff0 broadcast 173.160.166.63
    inet 173.160.166.60 netmask 0xfffffff0 broadcast 173.160.166.63
    inet 173.160.166.54 netmask 0xfffffff0 broadcast 173.160.166.63
    inet 173.160.166.53 netmask 0xfffffff0 broadcast 173.160.166.63
    nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active

    -Andrew</full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso></up,broadcast,running,simplex,multicast>



  • It seems to be a problem with the VIPs. The only one that works is 173.160.166.51.

    I moved the website from .60 on port 443 to .51 port 443.
    I also moved website from .53 on port 80 to .51 port 80.

    Updated the NAT Port Forward rules and they are now accessible from both internal and external clients.

    -Andrew



  • Strange issue.

    Your VIPs looks well.

    Only thing I'm missing is your WAN gateway IP. Usually this is the lowest IP in the subnet except the network address, but this is the WAN address in your case.


Log in to reply