Netgate SG-1000 microFirewall

Author Topic: 1 public IP mapped to a private machine's IP address. How to make it work?  (Read 552 times)

0 Members and 1 Guest are viewing this topic.

Offline jauyzed

  • Newbie
  • *
  • Posts: 11
  • Karma: +1/-0
    • View Profile
Hello,

I have set a pfsense setup with my home comcast public dynamic IP address. Modem --> WAN --> OPT1 and WAN --> LAN. I have a domain name mapped to WAN IP which is 52.102.x.y(comcast public IP) on the namecheap. Attached is a screenshot of my setup

I do have a machine with IP 10.1.10.102 and nginx running in the OPT1 interface with port exposed 80. I can reach this ip from a browser on any interface using http://10.1.10.102 or using curl from command line. I was able to curl from pfsense VM, and also a machine in LAN interface. I have a NAT configuration on WAN interface. I tried many combinations with it like any to OPT1 address/net and target to one ip address. Attached screen shoots

But when I go...www.example.com(actual name supressed) which is mapped to public ip. I get a error instead of seeing a nginx success page. Could someone please put me on right direction? Or if it is possible or not. d-dns looks tedious to me. All I want a public domain mapped to my home server.

Thanks!

« Last Edit: March 17, 2017, 10:44:13 am by jauyzed »

Offline viragomann

  • Hero Member
  • *****
  • Posts: 2555
  • Karma: +269/-1
    • View Profile
Exactly the same text content as in Routing and MultiWAN: https://forum.pfsense.org/index.php?topic=127397.0
??

Try to access the web server by typing your external IP in the browser.
If you still cant reach the it use Packet Capture from pfSense Diagnostic menu to check if packet are forwarded to you by your ISP. Select WAN interface and port 80 and start the capture and try to access the website from the internet, stop it then and look if packet are shown.

Offline Chromatics

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
You must change the value of Dest. Address 10.1.10.102 to Interface Address(Public IP Address assigned to the WAN interface) to make it works.

If you try to reach the webserver from WAN via www.example.com, incoming packets to WAN will have their destination as the public IP, not 10.1.10.102.

Then pfSense will NAT these packets by the port forward rule, translating their destination to 10.1.10.102 and after that, it will resume filtering and routing them.

Also only setting that rule will not make the webserver accessible from any nodes from OPT1 or LAN via www.example.com name.
You will need to add more rules with everything same with the corrected WAN port forward rule but with different interfaces, each ones for LAN, OPT1.

However for the efficiency you may want to just use 10.1.10.102 inside OPT1 network for accessing the webserver or just want to set up another DNS server exclusive for that network.

« Last Edit: March 18, 2017, 01:03:18 pm by Chromatics »

Offline jauyzed

  • Newbie
  • *
  • Posts: 11
  • Karma: +1/-0
    • View Profile
Exactly the same text content as in Routing and MultiWAN: https://forum.pfsense.org/index.php?topic=127397.0
??

Try to access the web server by typing your external IP in the browser.
If you still cant reach the it use Packet Capture from pfSense Diagnostic menu to check if packet are forwarded to you by your ISP. Select WAN interface and port 80 and start the capture and try to access the website from the internet, stop it then and look if packet are shown.

The link you have posted led to a dead link  :(

I see the packets in the Packet Capture. Thanks for the info.

Offline jauyzed

  • Newbie
  • *
  • Posts: 11
  • Karma: +1/-0
    • View Profile
You must change the value of Dest. Address 10.1.10.102 to Interface Address(Public IP Address assigned to the WAN interface) to make it works.

If you try to reach the webserver from WAN via www.example.com, incoming packets to WAN will have their destination as the public IP, not 10.1.10.102.

Then pfSense will NAT these packets by the port forward rule, translating their destination to 10.1.10.102 and after that, it will resume filtering and routing them.

Also only setting that rule will not make the webserver accessible from any nodes from OPT1 or LAN via www.example.com name.
You will need to add more rules with everything same with the corrected WAN port forward rule but with different interfaces, each ones for LAN, OPT1.

However for the efficiency you may want to just use 10.1.10.102 inside OPT1 network for accessing the webserver or just want to set up another DNS server exclusive for that network.


I have changed the destination address in the NAT rules to my public IP. NAt ip is set to OPT1 host 10.1.10.102. On the browser or cmd curl http://<mypubip> doesnt lead me anywhere :-(


Offline Chromatics

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Where did you tested it? The pfSense host itself? Or other computers from each networks?
I suggest you to test it from other computers from each networks, not the pfSense host itself.

Offline jauyzed

  • Newbie
  • *
  • Posts: 11
  • Karma: +1/-0
    • View Profile
Where did you tested it? The pfSense host itself? Or other computers from each networks?
I suggest you to test it from other computers from each networks, not the pfSense host itself.

Im not testing from pfsense host. Its reachable from pfsense host.No problems hitting it from within private network whatsoever.   

Failing case scenario:other computers with different ip(from work). Outside network --> my home public ip


Offline Chromatics

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
I think it's good to check and find out where the packets are not flowing.
Use tcpdump from shell from each computers to see what's going on.

Suggestion:
from the pfSense host,
tcpdump -n -i xn0 port 80
tcpdump -n -i xn2 port 80 and host 10.1.10.102

from the webserver,
tcpdump -n -i (Name of the interface to xn2) port 80

And of course, I assume the webserver's default gateway is 10.1.10.1. Am I right?

Offline jauyzed

  • Newbie
  • *
  • Posts: 11
  • Karma: +1/-0
    • View Profile
I think it's good to check and find out where the packets are not flowing.
Use tcpdump from shell from each computers to see what's going on.

Suggestion:
from the pfSense host,
tcpdump -n -i xn0 port 80
tcpdump -n -i xn2 port 80 and host 10.1.10.102

from the webserver,
tcpdump -n -i (Name of the interface to xn2) port 80

And of course, I assume the webserver's default gateway is 10.1.10.1. Am I right?


When I ran the commands from the pfSense host,
tcpdump -n -i xn0 port 80

output: 11 packets captured
            492 packets received by filter

tcpdump -n -i xn2 port 80 && host 10.1.10.102

output: 86 packets captured
            3773 packets received by the filter

from the webserver,
tcpdump -n -i eth0 port 80

output: 0 packets captured

I have attached the output of netstat on webserver instance which shows the ports are open and also attached the nat settings and interface settings on pfsense. I have hid my public ip on 2nd attachment

thanks for all the suggestions!
« Last Edit: March 22, 2017, 09:59:04 pm by jauyzed »

Offline Chromatics

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
When you were running tcpdump, you could see each packet's logs.

Were you able to see from xn0 with incoming packets with destination as public IP : port 80?
And what about outgoing packets with source as public IP : port 80?

Were you able to see from xn2 with outgoing packets with destination as 10.1.10.102 : port 80?
And what about incoming packets with source as 10.1.10.102 : port 80?

Were you able to see from the interface of webserver with incoming packets with destination as 10.1.10.102 : port 80?
And what about outgoing packets with source as 10.1.10.102 : port 80?

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9222
  • Karma: +1048/-308
    • View Profile
Do NOT set a source port on your port forward.

You had to click advanced and ignore this to get where you are right now:

Quote
Specify the source port or port range for this rule. This is usually random and almost never equal to the destination port range (and should usually be 'any'). The 'to' field may be left empty if only filtering a single port.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline jauyzed

  • Newbie
  • *
  • Posts: 11
  • Karma: +1/-0
    • View Profile
Do NOT set a source port on your port forward.

You had to click advanced and ignore this to get where you are right now:

Quote
Specify the source port or port range for this rule. This is usually random and almost never equal to the destination port range (and should usually be 'any'). The 'to' field may be left empty if only filtering a single port.

This setting did it! Thank you!

Offline jauyzed

  • Newbie
  • *
  • Posts: 11
  • Karma: +1/-0
    • View Profile
When you were running tcpdump, you could see each packet's logs.

Were you able to see from xn0 with incoming packets with destination as public IP : port 80?
And what about outgoing packets with source as public IP : port 80?

Were you able to see from xn2 with outgoing packets with destination as 10.1.10.102 : port 80?
And what about incoming packets with source as 10.1.10.102 : port 80?

Were you able to see from the interface of webserver with incoming packets with destination as 10.1.10.102 : port 80?
And what about outgoing packets with source as 10.1.10.102 : port 80?


Thank you for the all responses and suggestions! Helped me debug network