@johnpoz said in Port forwarding not working:

Same thing happened when I got new car - radio channels not setup like I like them, my seat was in the perfect position before. Had to redo all that stuff - wtf! ;)

🤣

I've spent a couple of days figuring out a solution of my problem.
I hope that this post will spare someone else many hours of frustration. ;)

By changing the Tomcat (ver 9.0.31) server.xml settings so that the <Connector> used by my HTTPS-server uses...

protocol="org.apache.coyote.http11.Http11Nio2Protocol"

and not...

protocol="org.apache.coyote.http11.Http11NioProtocol"

... the POST of files using HTTPS (I'm using "Let's Encrypt") works perfectly!

(It seems to work with any NAT reflection combinations as well.)

@bingo600 said in DMZ - 1:1 NAT , and also "Hybrid":

Aliases/VIP*s should not be in TFW IMHO.

They aren't. Not Aliases. But VIPs are ON THIS firewall, so it fits the description and the docs to the letter. All IPs that are on interfaces on that firewall. So that matches.

In fact an Alias belongs to TFW ... I had just hoped with an 1:1 Nat on it it would not ...

It still does but if you have defined a BiNAT entry, then the IP gets rewritten FIRST and thus no longer matches "this firewall" as the packet now is destined for the internal IP and has to match it. But it's way too easy to make errors that way so just define the IP you want to match (either by WAN address or by selecting the VIP you want) and use that in NAT/Rules so you're safer that way :)

Also move the WebUI port away from 443 and disable the auto redirect for it, that safes many headaches! We recommend using 4443 and explicitly blocking that on WAN-style interfaces can help avoid the "oopsie" of presenting your webUI to the world :) The rule is just a bonus though as you don't commonly have 4443/tcp allowed inbound anyways.

@fireodo thanks for the info.

@johnpoz thanks for the response. Just setting up like a had before using a pfsense. Using a VPN sounds like the way to go.

Using the NAT reflection did solve the issue in the meanwhile. Cheers.

Didnt upgrade yet since the initial feedback was very buggy...

@viragomann Understood, Thank you so much for the info.

What could possible have changed in an update that every other port forward works, other than plex? And if there was - why is mine working? I would think if there was something the boards would be a flame with users complaining.. There are a lot of pfsense/plex users.

So something sure is going on with the OP setup, but what that is impossible to figure out without some basic validation of what is going on.

What is more likely.. Something else changed.. There is a know issue if you have multiple wans, which I do not.. But that would effect all port forwards, etc.

Maybe he is using pfblocker and getting new rules for geoip blocking the IPs that plex uses to check.. Those ips can change.. I have a specific list in pfblocker that updates those for example.

https://s3-eu-west-1.amazonaws.com/plex-sidekiq-servers-list/sidekiqIPs.txt

Maybe during the update his public IP changed, or maybe plex is reporting the wrong public IP, etc.. There are lots of pieces to the puzzle for sure. Finding the missing piece is not possible without some actual info..

Maybe his plex is on a new local IP, and he is forwarding to the wrong IP? etc. etc..

@konikv
You're probaly looking for that: NAT with IPsec Phase 2 Networks

@operator2024 Hi
I have same situation, no matter what I do I can't get a second phase 2 to come up when it uses a subnet that doesn't directly exist on a local interface.
could you please tell me what exactly you did so i can compare with my conf

in my case i have
Palo Alto --- IPsec ---- Pfsense --- IPsec --- AWS

Pfsense --- IPsec ---- Pfsense --- IPsec --- AWS

both don't work
could you please help

@viragomann This was the solution. Thank you so much!

@slu Yes dude, tks

@saeed WELCOME Pfsense CE

I use Pfsense since 2.2.X

This type of failure in the essence of a firewall, did not occur. = (

@ralf-0
Firewall > NAT > Outbound > Disable Outbound NAT rule generation

SOLVED

Thanks for your help, by reading and thinking you helped me find the solution.

I found the fail!
It was done by myself.

I made a new NAT rule 3 weeks ago, in that rule i included port 8282 on block. I tuned the NAT rule, removed 8282 block, viola, all ports that I need to be open is now open:

5da1e541-e972-48d2-98b4-b221fb776202-image.png

@johnpoz
I recreated the Nat rule i was successful in getting this to work, currently monitoring the connection.

Thanks for your effort, Thanks

Works by doing the NAT configuration on the IPsec Phase 2 and a static route to the remote subnet pointing to inside interface.

NAT with IPsec Phase 2 Networks
Routing and gateway considerations

Thank you so much, @viragomann.

Despite extensive testing before release it's still possible to hit this in 2.5.1 CE but not as far as we know in 21.02.2 (Plus). Though it's unclear what the difference there is.
https://redmine.pfsense.org/issues/11805

Steve

@gertjan

Thank you so much for the support!

My mistake was to put the start and end port different in this case, on other firewalls it works like this.

Thanks again and have a nice day!

actually it was a pfsense update problem:

https://redmine.pfsense.org/issues/11805

update to 2.6.0 and its fine now.

hope they release a hotfix for stable version soon.

Have you tried to remove the GW's on the rules and let the FW handle them by itself?

@michael_kappler

https://redmine.pfsense.org/issues/11436#note-56

FYI

I wouldn't because, in my view, that complicates things.

You have two services that need http and https. You have to pic one for each port.

In a virtual server setup you can serve http and https depending on the host name request.

1 server > 2 websites

Unfortunately you have...

2 servers > 2 websites (your firewall http and your nextcloud http)

This is why you need to (again, in my view):

1 - Go to: system > advanced > change your port to something else, like me. I serve it on port 10000

Note: You will want to first make a firewall rule to allow port 10000 on your WAN. Firewall > Rules > Floating allow any to 10000 TCP

3df86e09-c752-41f5-bf25-5defabacc795-image.png

Here's the advanced web port change.

ee4e99d8-2824-4902-bda3-ab02085fdfb9-image.png

Once you change your web port on your firewall from http port 80 /https port 443 > you've free'd those up to be used on something else. Now you're doing http/https on port 10000 :-)

Now you can make a NAT rule:

firewall > nat > that says, anything from your WAN on http port 80 and https port 443 > go to your private IP 192.168.1.whatever (or whatever private IP's you're using).

Hope that helps.

That's how we've done these things in the past. Not using standard ports on your firewall for web management helps cut down on the BS even though they'll find you eventually. 10000 is a common port used in web servers as is 8080, and many others.

Alternatively, you could host your nextcloud on an alternative port too like 4434 or something and NAT 4434 > 443 on your private LAN side too. That would maintain the firewall defaults BUT we've found when publishing your owncloud URL that people will often hit the firewall interface not knowing they need to type in https://ip_address_here:4434
...so it can get confusing.

Always take a backup of your firewall before making and testing these changes :)

1:1 nat appears to be working to give my server one of those static addresses

Screen Shot 2021-04-12 at 3.04.46 PM.png

Screen Shot 2021-04-12 at 3.05.43 PM.png

@resortowner25
Check their documentation.
https://docs.netgate.com/pfsense/en/latest/nat/port-forwards.html

Netgate also made a more current video about this configuration.
https://www.youtube.com/watch?v=iFAuK_m7JxE

@dardou
Since both NAT rules handles different unique destination addresses they do not overlap.

If another public IP (let's say 122.0.0.0.4) comes in to 200.0.0.1/9999

Both rules don't match to this. The first has a different destination IP and the second is restikt to a uniqe source IP which does not match to this.

The filter rules come into play after NAT.

https://redmine.pfsense.org/issues/11436

I don't think it's going to work to have the same public IP subnet on both the router WAN and the DMZ. It won't know where to route. I think you'll need to use 1:1 NAT to forward the IPs to the DMZ servers.

re: outbound NAT try
Source: IPofServer1/32
Destination: any (the Internet)
NAT Address: publicIPofServer1

Also remember to set up firewall rules on the DMZ network allowing access out. They only exist by default on LAN.

Perhaps using pfctl or something??
Need some help in this issue. Thanks.

@xeba
idk, could be a combination of this
https://redmine.pfsense.org/issues/11716
https://redmine.pfsense.org/issues/11568

@viragomann Thanks for the explanation. appreciated.

@derelict thanks a lot