pfSense Gold Subscription

Author Topic: Seems like a NAT issue with static outbound...  (Read 4312 times)

0 Members and 1 Guest are viewing this topic.

Offline danswartz

  • Hero Member
  • *****
  • Posts: 1167
  • Karma: +0/-0
    • View Profile
Re: Seems like a NAT issue with static outbound...
« Reply #15 on: November 09, 2009, 03:32:35 pm »
Ah, okay, this makes sense then.  What I see that is suspicious: there is no 'pass in quick' rule for the two OPT1 port forwards.  If you go to the firewall => rules section, do you not see any auto-generated rules for the OPT1 port forwards?  if not, that is the issue, IMO.  I don't know why it would not be generating those (maybe a bug?)  If so, you can probably get around that by adding them yourself?

Offline jmcskixc

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Re: Seems like a NAT issue with static outbound...
« Reply #16 on: November 09, 2009, 04:31:11 pm »
OK, sorry for the confusion, but this makes more sense.  I had an error in there, which I've now corrected.  Funny how scrutiny turns up those things... Here's the (correct) output per the previous request.  Port 80 on Opt1, port 25 on LAN.  I've confirmed the port forward actually

# pfctl -s all | grep 192.168.5.99
rdr on sis0 inet proto tcp from any to A.B.C.D port = http -> 192.168.5.99
pass in quick on sis0 reply-to (sis0 A.B.C.1) inet proto tcp from any to 192.168.5.99 port = http flags S/SA keep state label "USER_RULE: NAT "
# pfctl -s all | grep 192.168.0.6
rdr on sis0 inet proto tcp from any to A.B.C.D port = smtp -> 192.168.0.6
pass in quick on sis0 reply-to (sis0 A.B.C.1) inet proto tcp from any to 192.168.0.6 port = smtp flags S/SA keep state label "USER_RULE: NAT Mail to Exchange"
#

So now the outputs match, as I would expect, but the port forward doesn't actually "work" on the OPT interface.  I still wonder if this has something to do with the outbound NAT, and the packets not getting back out?  Just a thought.

Offline danswartz

  • Hero Member
  • *****
  • Posts: 1167
  • Karma: +0/-0
    • View Profile
Re: Seems like a NAT issue with static outbound...
« Reply #17 on: November 09, 2009, 05:01:25 pm »
what (if any) are your OPT1 rules?

Offline danswartz

  • Hero Member
  • *****
  • Posts: 1167
  • Karma: +0/-0
    • View Profile
Re: Seems like a NAT issue with static outbound...
« Reply #18 on: November 09, 2009, 06:08:27 pm »
Also, test out this theory (if possible) by running some kind of sniffer on a host on the OPT1 subnet, and see if it sees anything coming from the pfsense box when you try to connect from outside.

Offline jmcskixc

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Re: Seems like a NAT issue with static outbound...
« Reply #19 on: November 10, 2009, 08:06:54 am »
Good  Morning.  Opt FW rules look like this.  This interface IP is 192.168.5.1/24

     Proto     Source     Port     Destination     Port     Gateway     Schedule     Description     
X     *    OPT3    *    192.168.0.0/24    *    *            
   
>     *    OPT3    *    *                    *    *         


Wan rules look like this:

>     TCP      *      *      192.168.0.6      25 (SMTP)      *             NAT Mail to Exchange      
   
>     TCP    *    *    192.168.5.99    80 (HTTP)    *         NAT   Web server


Nat rules next:

WAN      TCP      25 (SMTP)      192.168.0.6(ext.: A.B.C.D)    25 (SMTP)    Mail to Exchange 

WAN      TCP      80 (HTTP)      192.168.5.99(ext.: A.B.C.D)    80 (HTTP)

To review, the port 25 forwards OK, the 80 does not.  Mail host is on the LAN interface, web is on the OPT interface.

Outbound manual NAT rule is the standard default, with static port enabled (for both networks).  Static port enabled/disabled seems to make no difference.

I'll try to capture some packets next and see what happens.

Offline jmcskixc

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Re: Seems like a NAT issue with static outbound...
« Reply #20 on: November 11, 2009, 11:10:41 am »
Well, the packet capture was very enlightening.  It showed, well, no packets at all.  A little detective work with alternate ports indicates that my lovely ISP is blocking port 80, despite allowing port 25 and being a commercial connection.  Changed to another port number and everything works as it should.  As for the original issue with the VNC ports, I suspect there was a separate issue there as well.  I'll consider this mystery solved.  Thanks for all your time and effort, it certainly did lead me to the solution.  Port forwarding works just fine, as long as the packets actually get there!