NAT can't work - Proxmox and pfsense

G

Geraldo Junior

New Member
Jun 21, 2017
1
0
1
37
Hello everyone, I hope you can help me ...

I have on the network a proxmox server where I use pfsense to manage all incoming and outgoing packet traffic from the network and I have a Debian virtual machine where I have Apache installed along with my apps.

I'm having the following problem:

When I configure NAT in pfsense to access port 80 of a physical computer on my network, I can. But when I try to create a NAT to access port 80 of the debian virtual machine, I can not access it but I can usually ping pfsense in debian and vice versa.

My tcpdump from trying access port 80 from internet:

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:43:52.945800 IP (tos 0x0, ttl 63, id 4032, offset 0, flags [DF], proto TCP (6), length 60)
192.168.39.1.51129 > 192.168.39.254.80: Flags cheksum 0x76b5 (correct), seq 1955439716, win 29200, options [mss 1460,sackOK,TS val 38448036 ecr 0,nop,wscale 7], length 0
11:43:52.945820 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.39.254.80 > 192.168.39.1.51129: Flags [S.], cksum 0xd07e (incorrect -> 0x2d28), seq 4263620679, ack 1955439717, win 28960, options [mss 1460,sackOK,TS val 17013503 ecr 38448036,nop,wscale 7], length 0
11:43:53.485771 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.39.254.80 > 192.168.39.1.16319: Flags [S.], cksum 0xd07e (incorrect -> 0xe8c6), seq 3013307150, ack 3357459036, win 28960, options [mss 1460,sackOK,TS val 17013638 ecr 38442416,nop,wscale 7], length 0
11:43:53.581748 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.39.254.80 > 192.168.39.1.38558: Flags [S.], cksum 0xd07e (incorrect -> 0x4c9c), seq 1536617872, ack 193763727, win 28960, options [mss 1460,sackOK,TS val 17013662 ecr 38442438,nop,wscale 7], length 0
11:43:53.944813 IP (tos 0x0, ttl 63, id 4033, offset 0, flags [DF], proto TCP (6), length 60)
192.168.39.1.51129 > 192.168.39.254.80: Flags , cksum 0x75bb (correct), seq 1955439716, win 29200, options [mss 1460,sackOK,TS val 38448286 ecr 0,nop,wscale 7], length 0
11:43:53.944833 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.39.254.80 > 192.168.39.1.51129: Flags [S.], cksum 0xd07e (incorrect -> 0x2c2f), seq 4263620679, ack 1955439717, win 28960, options [mss 1460,sackOK,TS val 17013752 ecr 38448036,nop,wscale 7], length 0
11:43:54.941774 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.39.254.80 > 192.168.39.1.51129: Flags [S.], cksum 0xd07e (incorrect -> 0x2b35), seq 4263620679, ack 1955439717, win 28960, options [mss 1460,sackOK,TS val 17014002 ecr 38448036,nop,wscale 7], length 0
11:43:55.948887 IP (tos 0x0, ttl 63, id 4034, offset 0, flags [DF], proto TCP (6), length 60)
192.168.39.1.51129 > 192.168.39.254.80: Flags , cksum 0x73c6 (correct), seq 1955439716, win 29200, options [mss 1460,sackOK,TS val 38448787 ecr 0,nop,wscale 7], length 0
11:43:55.948907 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.39.254.80 > 192.168.39.1.51129: Flags [S.], cksum 0xd07e (incorrect -> 0x2a3a), seq 4263620679, ack 1955439717, win 28960, options [mss 1460,sackOK,TS val 17014253 ecr 38448036,nop,wscale 7], length 0
11:43:57.945770 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.39.254.80 > 192.168.39.1.51129: Flags [S.], cksum 0xd07e (incorrect -> 0x2846), seq 4263620679, ack 1955439717, win 28960, options [mss 1460,sackOK,TS val 17014753 ecr 38448036,nop,wscale 7], length 0
11:43:59.952800 IP (tos 0x0, ttl 63, id 4035, offset 0, flags [DF], proto TCP (6), length 60)
192.168.39.1.51129 > 192.168.39.254.80: Flags , cksum 0x6fdd (correct), seq 1955439716, win 29200, options [mss 1460,sackOK,TS val 38449788 ecr 0,nop,wscale 7], length 0
11:43:59.952820 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.39.254.80 > 192.168.39.1.51129: Flags [S.], cksum 0xd07e (incorrect -> 0x2651), seq 4263620679, ack 1955439717, win 28960, options [mss 1460,sackOK,TS val 17015254 ecr 38448036,nop,wscale 7], length 0
11:44:01.504713 IP (tos 0x0, ttl 63, id 22512, offset 0, flags [DF], proto TCP (6), length 60)
192.168.39.1.16319 > 192.168.39.254.80: Flags , cksum 0x84cb (correct), seq 3357459035, win 29200, options [mss 1460,sackOK,TS val 38450176 ecr 0,nop,wscale 7], length 0
11:44:01.504732 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.39.254.80 > 192.168.39.1.16319: Flags [S.], cksum 0xd07e (incorrect -> 0xe0f2), seq 3013307150, ack 3357459036, win 28960, options [mss 1460,sackOK,TS val 17015642 ecr 38442416,nop,wscale 7], length 0
11:44:01.632802 IP (tos 0x0, ttl 63, id 3149, offset 0, flags [DF], proto TCP (6), length 60)
192.168.39.1.38558 > 192.168.39.254.80: Flags , cksum 0x132c (correct), seq 193763726, win 29200, options [mss 1460,sackOK,TS val 38450208 ecr 0,nop,wscale 7], length 0
11:44:01.632824 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.39.254.80 > 192.168.39.1.38558: Flags [S.], cksum 0xd07e (incorrect -> 0x44c0), seq 1536617872, ack 193763727, win 28960, options [mss 1460,sackOK,TS val 17015674 ecr 38442438,nop,wscale 7], length 0
11:44:03.949769 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.39.254.80 > 192.168.39.1.51129: Flags [S.], cksum 0xd07e (incorrect -> 0x2269), seq 4263620679, ack 1955439717, win 28960, options [mss 1460,sackOK,TS val 17016254 ecr 38448036,nop,wscale 7], length 0
11:44:07.968672 IP (tos 0x0, ttl 63, id 4036, offset 0, flags [DF], proto TCP (6), length 60)
192.168.39.1.51129 > 192.168.39.254.80: Flags , cksum 0x6809 (correct), seq 1955439716, win 29200, options [mss 1460,sackOK,TS val 38451792 ecr 0,nop,wscale 7], length 0
11:44:07.968693 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.39.254.80 > 192.168.39.1.51129: Flags [S.], cksum 0xd07e (incorrect -> 0x1e7d), seq 4263620679, ack 1955439717, win 28960, options [mss 1460,sackOK,TS val 17017258 ecr 38448036,nop,wscale 7], length 0
^C
19 packets captured
19 packets received by filter
0 packets dropped by kernel


Can anybody help me?
 
Last edited:
Geraldo Junior said:
I have on the network a proxmox server where I use pfsense to manage all incoming and outgoing packet traffic from the network and I have a Debian virtual machine where I have Apache installed along with my apps.

I'm having the following problem:

When I configure NAT in pfsense to access port 80 of a physical computer on my network, I can. But when I try to create a NAT to access port 80 of the debian virtual machine, I can not access it but I can usually ping pfsense in debian and vice versa.

My tcpdump from trying access port 80 from internet:

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:43:52.945800 IP (tos 0x0, ttl 63, id 4032, offset 0, flags [DF], proto TCP (6), length 60)
192.168.39.1.51129 > 192.168.39.254.80: Flags cheksum 0x76b5 (correct), seq 1955439716, win 29200, options [mss 1460,sackOK,TS val 38448036 ecr 0,nop,wscale 7], length 0
11:43:52.945820 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.39.254.80 > 192.168.39.1.51129: Flags [S.], cksum 0xd07e (incorrect -> 0x2d28), seq 4263620679, ack 1955439717, win 28960, options [mss 1460,sackOK,TS val 17013503 ecr 38448036,nop,wscale 7], length 0
11:43:53.485771 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.39.254.80 > 192.168.39.1.16319: Flags [S.], cksum 0xd07e (incorrect -> 0xe8c6), seq 3013307150, ack 3357459036, win 28960, options [mss 1460,sackOK,TS val 17013638 ecr 38442416,nop,wscale 7], length 0
11:43:53.581748 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.39.254.80 > 192.168.39.1.38558: Flags [S.], cksum 0xd07e (incorrect -> 0x4c9c), seq 1536617872, ack 193763727, win 28960, options [mss 1460,sackOK,TS val 17013662 ecr 38442438,nop,wscale 7], length 0
11:43:53.944813 IP (tos 0x0, ttl 63, id 4033, offset 0, flags [DF], proto TCP (6), length 60)
192.168.39.1.51129 > 192.168.39.254.80: Flags , cksum 0x75bb (correct), seq 1955439716, win 29200, options [mss 1460,sackOK,TS val 38448286 ecr 0,nop,wscale 7], length 0
11:43:53.944833 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.39.254.80 > 192.168.39.1.51129: Flags [S.], cksum 0xd07e (incorrect -> 0x2c2f), seq 4263620679, ack 1955439717, win 28960, options [mss 1460,sackOK,TS val 17013752 ecr 38448036,nop,wscale 7], length 0
11:43:54.941774 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.39.254.80 > 192.168.39.1.51129: Flags [S.], cksum 0xd07e (incorrect -> 0x2b35), seq 4263620679, ack 1955439717, win 28960, options [mss 1460,sackOK,TS val 17014002 ecr 38448036,nop,wscale 7], length 0
11:43:55.948887 IP (tos 0x0, ttl 63, id 4034, offset 0, flags [DF], proto TCP (6), length 60)
192.168.39.1.51129 > 192.168.39.254.80: Flags , cksum 0x73c6 (correct), seq 1955439716, win 29200, options [mss 1460,sackOK,TS val 38448787 ecr 0,nop,wscale 7], length 0
11:43:55.948907 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.39.254.80 > 192.168.39.1.51129: Flags [S.], cksum 0xd07e (incorrect -> 0x2a3a), seq 4263620679, ack 1955439717, win 28960, options [mss 1460,sackOK,TS val 17014253 ecr 38448036,nop,wscale 7], length 0
11:43:57.945770 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.39.254.80 > 192.168.39.1.51129: Flags [S.], cksum 0xd07e (incorrect -> 0x2846), seq 4263620679, ack 1955439717, win 28960, options [mss 1460,sackOK,TS val 17014753 ecr 38448036,nop,wscale 7], length 0
11:43:59.952800 IP (tos 0x0, ttl 63, id 4035, offset 0, flags [DF], proto TCP (6), length 60)
192.168.39.1.51129 > 192.168.39.254.80: Flags , cksum 0x6fdd (correct), seq 1955439716, win 29200, options [mss 1460,sackOK,TS val 38449788 ecr 0,nop,wscale 7], length 0
11:43:59.952820 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.39.254.80 > 192.168.39.1.51129: Flags [S.], cksum 0xd07e (incorrect -> 0x2651), seq 4263620679, ack 1955439717, win 28960, options [mss 1460,sackOK,TS val 17015254 ecr 38448036,nop,wscale 7], length 0
11:44:01.504713 IP (tos 0x0, ttl 63, id 22512, offset 0, flags [DF], proto TCP (6), length 60)
192.168.39.1.16319 > 192.168.39.254.80: Flags , cksum 0x84cb (correct), seq 3357459035, win 29200, options [mss 1460,sackOK,TS val 38450176 ecr 0,nop,wscale 7], length 0
11:44:01.504732 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.39.254.80 > 192.168.39.1.16319: Flags [S.], cksum 0xd07e (incorrect -> 0xe0f2), seq 3013307150, ack 3357459036, win 28960, options [mss 1460,sackOK,TS val 17015642 ecr 38442416,nop,wscale 7], length 0
11:44:01.632802 IP (tos 0x0, ttl 63, id 3149, offset 0, flags [DF], proto TCP (6), length 60)
192.168.39.1.38558 > 192.168.39.254.80: Flags , cksum 0x132c (correct), seq 193763726, win 29200, options [mss 1460,sackOK,TS val 38450208 ecr 0,nop,wscale 7], length 0
11:44:01.632824 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.39.254.80 > 192.168.39.1.38558: Flags [S.], cksum 0xd07e (incorrect -> 0x44c0), seq 1536617872, ack 193763727, win 28960, options [mss 1460,sackOK,TS val 17015674 ecr 38442438,nop,wscale 7], length 0
11:44:03.949769 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.39.254.80 > 192.168.39.1.51129: Flags [S.], cksum 0xd07e (incorrect -> 0x2269), seq 4263620679, ack 1955439717, win 28960, options [mss 1460,sackOK,TS val 17016254 ecr 38448036,nop,wscale 7], length 0
11:44:07.968672 IP (tos 0x0, ttl 63, id 4036, offset 0, flags [DF], proto TCP (6), length 60)
192.168.39.1.51129 > 192.168.39.254.80: Flags , cksum 0x6809 (correct), seq 1955439716, win 29200, options [mss 1460,sackOK,TS val 38451792 ecr 0,nop,wscale 7], length 0
11:44:07.968693 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.39.254.80 > 192.168.39.1.51129: Flags [S.], cksum 0xd07e (incorrect -> 0x1e7d), seq 4263620679, ack 1955439717, win 28960, options [mss 1460,sackOK,TS val 17017258 ecr 38448036,nop,wscale 7], length 0
^C
19 packets captured
19 packets received by filter
0 packets dropped by kernel
Click to expand...

For analysis more details about your setup are necessary to be known. Helpful would be if you

- post the result of

Code: 
pvereport

- inform about the VMs (which one is "pfsense" (if it is a VM at all), which one is the "debian virtual machine"))
 
In pfSense go to:
System | Advanced | Networking
and select
"Disable hardware checksum offload",
"Disable hardware TCP segmentation offload" and
"Disable hardware large receive offload"
Click "Save" and reboot pfSense.
Especially the first one causes problems in virtualized environments. I had quite similar problems like connections from/to pfSense worked but connections from/to devices behind the NAT didnt't work. Disable all offloading in the pfSense-VM solved this "mysterious" problems. Ping worked, TCP connections did not, the packages somewhere just "disappeared" or got discarded by iptables without any real reason. So sounds like your problem is the same.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back