pfSense Gold Subscription

Author Topic: Unable to configure NAT forwarding rule correctly  (Read 169 times)

0 Members and 1 Guest are viewing this topic.

Offline analbeard

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Unable to configure NAT forwarding rule correctly
« on: August 10, 2017, 12:26:56 am »
I'm unable to get traffic to NAT correctly through to an internal IP behind my firewall. I've attached a screenshot of the relevant NAT rule and below are the troubleshooting/diagnostic steps I've carried out. I've also been through the port forward troubleshooting page and as far as I'm concerned I've set everything up correctly.

Testing from a remote location:

Code: [Select]
$ telnet test.domain.com 30000
Trying 86.x.x.x...
telnet: connect to address 86.x.x.x: Connection refused

Packet capture shows inbound traffic:

Code: [Select]
05:37:43.325238 IP 77.x.x.x.51193 > 86.x.x.x.32401: tcp 0
05:37:43.325328 IP 77.x.x.x.51192 > 86.x.x.x.32401: tcp 0
05:37:43.567784 IP 77.x.x.x.51194 > 86.x.x.x.32401: tcp 0
05:37:55.798586 IP 77.x.x.x.51198 > 86.x.x.x.32401: tcp 0
05:37:56.048889 IP 77.x.x.x.51199 > 86.x.x.x.32401: tcp 0

Firewall logs show it being dropped:

Code: [Select]
Aug 10 05:20:50 WAN 77.x.x.x:51179 86.x.x.x:30000 TCP:SEC
Aug 10 05:20:50 WAN 77.x.x.x:51180 86.x.x.x:30000 TCP:SEC
Aug 10 05:20:56 WAN 77.x.x.x:51178 86.x.x.x:30000 TCP:S
Aug 10 05:20:56 WAN 77.x.x.x:51179 86.x.x.x:30000 TCP:S

The port is open from the firewall:

Code: [Select]
# telnet 10.101.0.30 443
Trying 10.101.0.30...
Connected to 10.101.0.30.
Escape character is '^]'.
« Last Edit: August 10, 2017, 01:00:37 am by analbeard »

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 13144
  • Karma: +1154/-152
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Unable to configure NAT forwarding rule correctly
« Reply #1 on: August 10, 2017, 10:35:50 am »
"05:37:43.325238 IP 77.x.x.x.51193 > 86.x.x.x.32401: tcp 0"

That is not traffic to your 30000 port you said you forwarded..

But then you do show drops to 30000 but can not tell when you did what, so for all we know you edited the forward?  Please post screen shot of your firewall wan rules
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- If I have helped you and want to help back, https://www.freebsdfoundation.org/donate/
- Please don't PM me for personal help, info you don't want public sure. Link to thread you would like me to look at ok, etc.
1x SG-2440 2.3.4_p1 (work)
1x 2.4.0-BETA Aug 18 00:32:41 VM running on esxi 6.5 (home)

Offline analbeard

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Unable to configure NAT forwarding rule correctly
« Reply #2 on: August 10, 2017, 11:08:55 am »
Apologies, you are indeed correct - I had changed the port but pasted the wrong packet capture output. Either way, the traffic is hitting the WAN interface on 30000 and then being dropped.

I've attached my WAN rules as requested - they're a little messy as I'm fairly new to pfSense, but there aren't too many of them.

Thanks!

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 13144
  • Karma: +1154/-152
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Unable to configure NAT forwarding rule correctly
« Reply #3 on: August 10, 2017, 11:30:38 am »
so is your alias correct?  Look in your table to see that it has your IP.. But your rule you posted was to IP not to alias.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- If I have helped you and want to help back, https://www.freebsdfoundation.org/donate/
- Please don't PM me for personal help, info you don't want public sure. Link to thread you would like me to look at ok, etc.
1x SG-2440 2.3.4_p1 (work)
1x 2.4.0-BETA Aug 18 00:32:41 VM running on esxi 6.5 (home)

Offline analbeard

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Unable to configure NAT forwarding rule correctly
« Reply #4 on: August 10, 2017, 11:34:15 am »
and there is not firewall rule for 30000 on there so yeah ts going ot be dropped!!! As it should be..

OK, so my understanding from the port forwarding docs is that if I create the NAT rule and leave the 'create associated filter rule' box ticked, then that should be sufficient:

Quote
'When adding a port forward, a firewall rule must also be added to allow traffic in to the internal IP address designated by the port forward. There is an option to automatically add this rule when creating a port forward definition, and it is enabled by default.'.

The auto-added rule is second from bottom.

Offline analbeard

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Unable to configure NAT forwarding rule correctly
« Reply #5 on: August 10, 2017, 11:37:49 am »
Additionally, the rule you can see for 8123 was created exactly the same way and it works perfectly when tested from an external source.

Offline analbeard

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Unable to configure NAT forwarding rule correctly
« Reply #6 on: August 10, 2017, 11:45:32 am »
so is your alias correct?  Look in your table to see that it has your IP.. But your rule you posted was to IP not to alias.

The alias definitely points to the correct IP, but just for troubleshooting's sake I changed the NAT rule to use the IP instead of the alias and now it works.   :-\

I've attached my alias table.

This smells like a bug to me.

Offline analbeard

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Unable to configure NAT forwarding rule correctly
« Reply #7 on: August 10, 2017, 12:18:43 pm »
OK, I've since done some more digging and uncovered what I think is probably the root cause of the issue. I changed the NAT rule to listen externally on 443 as this was my ultimate goal and I could then see traffic being dropped again (all I'd changed is the port). I then manually ran a filter reload and traffic started passing - it seems updating a NAT rule doesn't update the corresponding filter rule. Is this the expected behaviour?

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 13144
  • Karma: +1154/-152
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Unable to configure NAT forwarding rule correctly
« Reply #8 on: August 10, 2017, 12:24:42 pm »
I have never seen nat not update the firewall rules  or reload the filters.. You can look in the log and see the filter reload.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- If I have helped you and want to help back, https://www.freebsdfoundation.org/donate/
- Please don't PM me for personal help, info you don't want public sure. Link to thread you would like me to look at ok, etc.
1x SG-2440 2.3.4_p1 (work)
1x 2.4.0-BETA Aug 18 00:32:41 VM running on esxi 6.5 (home)