Netgate SG-1000 microFirewall

Author Topic: Assistance with an internal port forward  (Read 2830 times)

0 Members and 1 Guest are viewing this topic.

Offline Trel

  • Sr. Member
  • ****
  • Posts: 368
  • Karma: +11/-1
    • View Profile
Assistance with an internal port forward
« on: November 01, 2015, 02:46:30 pm »
I'm trying to get an internal port forward to work.

I have a domain pointed (internally) to my firewall.

What I'm trying to make is a NAT rule that directs a port to another internal IP

So if I try to hit my firewall at port 10060, it directs it to the specific server at 10060

The rule I made was

Interface: LAN
Source: Any
Destination: 10.9.0.1 <-- Firewall
Destination Port: 10060
Target: 10.9.0.10 <--- Internal server 
Target Port: 10060

This doesn't work

However, if I change Destination from 10.9.0.1 to ANY, it works, so I'm not sure why that is, but I don't want to globally override that port.

Can anyone help?

Offline muswellhillbilly

  • Hero Member
  • *****
  • Posts: 935
  • Karma: +73/-4
    • View Profile
Re: Assistance with an internal port forward
« Reply #1 on: November 02, 2015, 02:38:52 am »
Why would you want to do this? Why not just set your internal DNS to point directly to the internal server instead of your firewall? You're just trying to bounce a forward from an internal host to another internal host via the firewall's internal interface. Unless I misread your post.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10257
  • Karma: +1176/-313
    • View Profile
Re: Assistance with an internal port forward
« Reply #2 on: November 02, 2015, 03:36:06 am »
Yeah. Bouncing connections in and back out of the same interface is doomed to failure. Sometimes in strange, unpredictable, and intermittent ways. Just don't do it.

If you really need this put the asset you are redirecting to on another interface and redirect to that.  That will work fine.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline Trel

  • Sr. Member
  • ****
  • Posts: 368
  • Karma: +11/-1
    • View Profile
Re: Assistance with an internal port forward
« Reply #3 on: November 02, 2015, 09:14:13 am »
Why would you want to do this? Why not just set your internal DNS to point directly to the internal server instead of your firewall? You're just trying to bounce a forward from an internal host to another internal host via the firewall's internal interface. Unless I misread your post.

Externally my domain points to my firewall and has specific ports forwarded to specific machines for different services.
Internally my domain ALSO points to my firewall.

I'm trying to achieve the same thing.

For example, one machine hosts and IceCast2 server for music streaming.

Right now people can go to http://mydomain.com:10060/stream.m3u and listen.
However, if they're on my network, that doesn't work.

If I point my DNS to the one server internally, I remove the ability to reach ALL other servers with the same name.

Quote
If you really need this put the asset you are redirecting to on another interface and redirect to that.  That will work fine.
Unfortunately, that's not possible as I need that resource to be on LAN due to it's other purposes.

I should mention again, that if I do the port forward with destination set to ANY it works, but if I only put in the firewall's IP, use the "This Firewall" alias, or 127.0.0.1 it doesn't work.
That suggests to me there is a correct thing to use for the destination to make this work, if using "Any" does work.
« Last Edit: November 02, 2015, 09:18:28 am by Trel »

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15736
  • Karma: +1469/-210
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Assistance with an internal port forward
« Reply #4 on: November 02, 2015, 09:30:13 am »
"If I point my DNS to the one server internally, I remove the ability to reach ALL other servers with the same name."

Huh???  You just create a record for mydomain.com that points to your internal IP on your internal dns..
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE (home)

Offline Trel

  • Sr. Member
  • ****
  • Posts: 368
  • Karma: +11/-1
    • View Profile
Re: Assistance with an internal port forward
« Reply #5 on: November 02, 2015, 09:37:10 am »
"If I point my DNS to the one server internally, I remove the ability to reach ALL other servers with the same name."

Huh???  You just create a record for mydomain.com that points to your internal IP on your internal dns..

Maybe I worded that poorly

Externally
domain.com:80 -> Server A
domain.com:81 -> Server B
domain.com:82 -> Server C

If I point the DNS for domain.com to any one of those servers, I relinquish the ability to have the other two accessible.
What I'm trying to do is point the DNS internally to the firewall and then use NAT to forward the ports back to the correct servers.

EDIT: added pictures of the rule that works and the rule that doesn't.
(But the rule that works is too broad, I want to be specific as I don't want to forward ALL attempts at 10068, just the ones that target the firewall itself).

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15736
  • Karma: +1469/-210
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Assistance with an internal port forward
« Reply #6 on: November 02, 2015, 09:40:58 am »
why not just do

server1.domain.tld publicIP --- serverA privateIP-A
server2.domain.tld publicIP --- serverB privateIP-B
server3.domain.tld publicIP --- serverC privateIP-C

then on internal
server1.domain.tld privateIP-A
server2.domain.tld privateIP-B
server3.domain.tld privateIP-C

Much cleaner solution..

If you don't want to use the :port in your url just setup reverse proxy on pfsense.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE (home)

Offline Trel

  • Sr. Member
  • ****
  • Posts: 368
  • Karma: +11/-1
    • View Profile
Re: Assistance with an internal port forward
« Reply #7 on: November 02, 2015, 10:11:15 am »
why not just do

server1.domain.tld publicIP --- serverA privateIP-A
server2.domain.tld publicIP --- serverB privateIP-B
server3.domain.tld publicIP --- serverC privateIP-C

then on internal
server1.domain.tld privateIP-A
server2.domain.tld privateIP-B
server3.domain.tld privateIP-C

Much cleaner solution..

If you don't want to use the :port in your url just setup reverse proxy on pfsense.

If I was doing it from scratch, I would have done it that way, but I'm not.  There's hard coded things going years back that used to all run off a single server.

I know it's not best practice, but it's what I need to do for my scenario.

Based on the pictures I uploaded, you can see there HAS to be some way to make it work given my constraints.  I just need to find out what it is.
Considering it works with the destination being "Any", then there must be some destination(s) that will make it work.

(And for what it's worth, I'm pushing to have some of that changed so I CAN use best practices)
« Last Edit: November 02, 2015, 10:27:09 am by Trel »

Offline muswellhillbilly

  • Hero Member
  • *****
  • Posts: 935
  • Karma: +73/-4
    • View Profile
Re: Assistance with an internal port forward
« Reply #8 on: November 02, 2015, 10:47:09 am »
If I was doing it from scratch, I would have done it that way, but I'm not.  There's hard coded things going years back that used to all run off a single server.

I know it's not best practice, but it's what I need to do for my scenario.
I'm not sure what you mean by 'hard coded things', but if you just need to resolve one host internally then surely a DNS override would work just as well. You just need to enter the address for one host - how hard can it be?

Offline Trel

  • Sr. Member
  • ****
  • Posts: 368
  • Karma: +11/-1
    • View Profile
Re: Assistance with an internal port forward
« Reply #9 on: November 02, 2015, 03:34:24 pm »
If I was doing it from scratch, I would have done it that way, but I'm not.  There's hard coded things going years back that used to all run off a single server.

I know it's not best practice, but it's what I need to do for my scenario.
I'm not sure what you mean by 'hard coded things', but if you just need to resolve one host internally then surely a DNS override would work just as well. You just need to enter the address for one host - how hard can it be?

Ok, I have two things off the top of my head that are hard coded.

One is hardcoded to look at: http://domain.com:8080/path_to_xml/file.xml
One is hardcoded to look at: http://domain.com:10060/stream128.m3u

The webserver which serves the XML is one one server, the IceCast server which serves the m3u is on a second server.

How would I achieve this with a DNS override? 

Pfsense: I can change
Servers Themselves: I can change
DNS: I can change
Devices that look at those URLs and Ports: I cannot change

What are you suggesting I do here?

(I'm sorry if I sound a bit snappy here, I'm just not sure how I'm supposed to point DNS to two different locations for the same name without NAT as well.  And I'm dealing with an excellent bug in my registrar's UI that has locked me out of making any DNS changes at all on two of my domains.   Didn't meant to take out my bad day on you)
« Last Edit: November 02, 2015, 03:49:45 pm by Trel »

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10257
  • Karma: +1176/-313
    • View Profile
Re: Assistance with an internal port forward
« Reply #10 on: November 02, 2015, 05:10:01 pm »
I try to tell people that domain.com shouldn't be used as a hostname. I always lose. Whoever did that painted you into a corner.

So you're saying both those URLs need to go to different destination servers?

Yes, you'll need a port forward.  Doing it with the clients on the same subnet as the servers is going to be pretty hokey. You see, NAT is a router function and you don't route same-subnet traffic so anything that "works" will be a hack.

My recommendation is to put the servers (which you say you can change) on a different subnet and NAT port forwards will work fine. But you've already said you can't do that either.

You might try enabling the NAT destination IP again and and checking Static route filtering in System > Advanced > Firewall/NAT tab .
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline Trel

  • Sr. Member
  • ****
  • Posts: 368
  • Karma: +11/-1
    • View Profile
Re: Assistance with an internal port forward
« Reply #11 on: November 02, 2015, 06:36:49 pm »
I try to tell people that domain.com shouldn't be used as a hostname. I always lose. Whoever did that painted you into a corner.

So you're saying both those URLs need to go to different destination servers?

Yes, you'll need a port forward.  Doing it with the clients on the same subnet as the servers is going to be pretty hokey. You see, NAT is a router function and you don't route same-subnet traffic so anything that "works" will be a hack.

My recommendation is to put the servers (which you say you can change) on a different subnet and NAT port forwards will work fine. But you've already said you can't do that either.

You might try enabling the NAT destination IP again and and checking Static route filtering in System > Advanced > Firewall/NAT tab .

Well it's not domain.com specifically, I don't think they want me mentioning their real one.  But I agree.  My home setup has an internal domain, but I use s1.trel.co, s2.trel.co, etc to separate them even when they all point to the same IP externally.

For the static route filtering option, it refers to defined interfaces, not physical ones, right?

Do you have any idea at all why the NAT rule I have in the picture I uploaded earlier works when it's destination is * vs any one IP/Alias?

EDIT: the static route filtering option didn't make a difference, if it absolutely can't be done without forwarding ALL destinations at that port, I'll have to tell them it can't be done.
« Last Edit: November 02, 2015, 06:41:15 pm by Trel »

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10257
  • Karma: +1176/-313
    • View Profile
Re: Assistance with an internal port forward
« Reply #12 on: November 02, 2015, 06:56:35 pm »
If I have time I'll lab it tonight.  I don't know if you need to enable NAT reflection or another hack to make it work.

Just so I'm clear you want:

pfSense: 192.168.1.1/24
ifAlias VIP: 192.168.1.2
Host 1: 192.168.1.100
Server 1: 192.168.1.200

Port forward connections from 192.168.1.100 to 192.168.1.2:8000 to 192.168.1.200:8000 instead.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15736
  • Karma: +1469/-210
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Assistance with an internal port forward
« Reply #13 on: November 03, 2015, 04:47:37 am »
You want a simpler solution.. Run those services on the same box - since the moron that hard coded a single name thought that was how it worked..  Also agree using a domain name as FQDN to point to a host is a bad ide.. host.domain.tld should always be used..

Fix the hard code.. Which again is BAD idea...
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE (home)

Offline muswellhillbilly

  • Hero Member
  • *****
  • Posts: 935
  • Karma: +73/-4
    • View Profile
Re: Assistance with an internal port forward
« Reply #14 on: November 03, 2015, 06:52:22 am »
I'm in agreement with JP on this one. The more you try to work around the bad decisions made before you inherited this system, the more convoluted and unmanageable your environment will become. You have an opportunity to fix things here rather than just work around them. Otherwise you'll only make your life and the life of guy who eventually inherits your network more miserable in the long run.

Puts me in mind of the following classic image: http://blog.thingsdesigner.com/uploads/id/tree_swing_development_requirements.jpg