Can't connect from network to wan address



  • I think this is the right place for this question but I am not sure so if not please direct me in the right location.

    I just installed 1.2 and everything appeared to be working great until I tried to get to one of the webservers here and realized I couldn't reach it.  First I thought it was just an error with squid but after I disabled squid I realized the problem was much larger.  I can reach the servers from the internet just not from inside the network behind the pfsense box.

    First I have 5 IPs on my public interface.  I can only ping two of them from the internet.  I can only ping one of those five addresses from inside the network, that is the IP that is listed on the wan interface.  Instead of trying to explain my setup with a wall of text I drew it up really quick and saved it as a pdf.

    http://wilpig.org/temp/firewallsetup.pdf

    I believe I have all of the firewall rules set correctly.  I put in two generic ICMP rules for the LAN and WAN sides just saying permit all.  I have tried to do a packet capture to see what was going on but it was not much help.  I started a capture and then attempted to open a putty session to one of my external IPs that has a rule in to route to one of the backend servers.  These are the only two lines that were in the packet dump from that attempt.

    23:37:58.515509 IP (tos 0x0, ttl 128, id 20065, offset 0, flags [DF], proto: TCP (6), length: 48) 192.168.0.105.3437 > 208.xxx.xxx.14.22: S, cksum 0xaf4a (correct), 1961411612:1961411612(0) win 65535 <mss 1460,nop,nop,sackok="">23:38:01.526322 IP (tos 0x0, ttl 128, id 20124, offset 0, flags [DF], proto: TCP (6), length: 48) 192.168.0.105.3437 > 208.xxx.xxx.14.22: S, cksum 0xaf4a (correct), 1961411612:1961411612(0) win 65535 <mss 1460,nop,nop,sackok="">I also saved a copy of my config if that will help determine what the problem is.</mss></mss>



  • enable NAT reflection

    –> advanced --> NAT reflection



  • You are amazing.  Thank you very much!



  • Would this setting cause my internet terminal services clients to constantly need to reconnect?  Many of the sales people here just connect to our dns name for the terminal server when they are in the office or our for simplicity.  If they connect to the external name while in the office and leave the connection idle for about 45 seconds they have to wait while it says "reconnecting to host".  The memory usage on the status page shows 60% the states table is nowhere near full.  If I connect up to the local name which bypasses the firewall it does not have this reconnection problem.


Log in to reply