Firewall not allowing return path?

marv2097 · Sep 2, 2015, 1:57 PM

Hi All,

I am fairly new to pfSense and I am having issues with firewall setup. I have 2 external routers doing NAT and the pfSense box is behind them on private addresses not running NAT. Its main role is to direct different types of traffic out of different routers.

I am trying to make a HTTPS page on an internal device available externally. So I have setup a port forward for 8443 on the outside of the router to 192.168.1.240:443 and added a WAN->LAN Rule on the firewall. Below should be the path and private IP's

Client DSL Router DSL Router pfSense WAN pfSense LAN Web Server
Browser Outside Inside WAN LAN

92.x.x.x –--- > 88.x.x.x ---- > 192.168.10.20 ---- > 192.168.10.1 ---- > 192.168.1.254 ---- > 192.168.1.240

The Wan Rule looks like this:
IPv4 TCP * * 192.168.1.240 443 (HTTPS) * none

Captures on the LAN side shows the SYN packet makes it to the web server from the client, the web server responds with SYN-ACK but firewall drops it with a with an ICMP Host Not Reachable. Capturing on the WAN side of the firewall i don't see any SYN-ACK coming back.

Looking at the states table I can see:

Int Proto Source -> Router -> Destination State
WAN tcp 192.168.1.240:443 <- 92.40.249.228:16617 SYN_SENT:ESTABLISHED
LAN tcp 92.40.249.228:16617 -> 192.168.1.240:443 ESTABLISHED:SYN_SENT

What I am not sure is why the firewall is dropping the SYN-ACK, should the state not allow packets back through. There doesnt appear to be a routing issue per say because I can initiate an outbound connection from the web server with no issues and it follows my LAN routing rules fine.

Any advice would be greatly appreciated

Cheers
Marv

doktornotor · Sep 2, 2015, 4:34 PM

Yeah, get rid of the multi-NAT.

marv2097 · Sep 2, 2015, 4:54 PM

@doktornotor:

Yeah, get rid of the multi-NAT.

Hi There, sorry i may not have explained this very well.

I have 2 DSL routers, both use NAT, but only one is used per connection. Ie Multi WAN. So the traffic will come in via one of the DSL routers only, in this case the 88.X.X.X connection.

The pfsense box has NAT disabled also so there is no double natting.

Cheers

johnpoz · Sep 2, 2015, 6:39 PM

why don't you just put your 2 wan connection direct on pfsense.. I never understand why people make everything so freaking difficult.

So client gets syn, and wants to send syn ack back.. So it hits pfsense where does pfsense send it? You sure your going back to the same router that your forwarded it in from?

doktornotor · Sep 3, 2015, 4:30 AM

@marv2097:

Hi There, sorry i may not have explained this very well.
I have 2 DSL routers, both use NAT, but only one is used per connection

No, I understood pretty well. Everything you do on pfSense, you need to do on the modems as well. Bridge the stuff and get rid of the multiple NAT.

marv2097 · Sep 3, 2015, 9:10 AM

@johnpoz:

why don't you just put your 2 wan connection direct on pfsense.. I never understand why people make everything so freaking difficult.

The DSL service's I have (work provided) are not routed ones, so there has to be NAT in the router. I need the 2 connections so instead of double NATing I disabled NAT on Pfsense so it acts more as a WAN balancer and firewall.

@johnpoz:

So client gets syn, and wants to send syn ack back.. So it hits pfsense where does pfsense send it? You sure your going back to the same router that your forwarded it in from?

Thats the problem, it doesnt send it. the NAT/router issue is not involved at this stage, pfsense acts like it doesnt know where to send the syn-ack so drops it and sends ICMP Host unreachable back to the server. Should it not already know how to do this based on the states table?

If it did sent it back to the wrong router, or the correct router didnt pass it then I could understand but captures on the WAN and LAN side of pfsense confirm its not sending it anywhere. (Screenshot of LAN capture attached)

marv2097 · Sep 3, 2015, 9:14 AM

@doktornotor:

@marv2097:

Hi There, sorry i may not have explained this very well.
I have 2 DSL routers, both use NAT, but only one is used per connection

No, I understood pretty well. Everything you do on pfSense, you need to do on the modems as well. Bridge the stuff and get rid of the multiple NAT.

Ok maybe i dont understand quite what you mean. I use NAT, but each outbound connection is only translated once in the DSL router that pfsnse chooses (not both). Using private IP's internally I cant avoid NAT unless you know of a different way to achieve a similar result? Sorry if i am getting the wrong end of the stick with this.

doktornotor · Sep 3, 2015, 10:31 AM

Yeah, Google DSL modem bridging or something, or use the search feature here.

marv2097 · Sep 4, 2015, 7:27 AM

@doktornotor:

Yeah, Google DSL modem bridging or something, or use the search feature here.

Thanks Doktornotor, i will take a look into that.

I am still not sure the NAT side of things is related to my problem. Which seems to be a routing/firewall issue with pfsense dropping the packet due to no route.

Would it help just putting a pc on the WAN side, taking the whole router aspect out of the equation?

Many Thanks