@SteveITS said in Block internet for one IP:

@pfsense57352 An add on to what John said: https://docs.netgate.com/pfsense/en/latest/troubleshooting/firewall.html#new-rules-are-not-applied

Thank you!

I've started my journey with pfsense yesterday, so i'm brand new with this router/firewall. But i already like it much better than mikrotik.

@johnpoz Well, it's not really about what I was thinking it would do, it's what actually happened...

I am able to get Open NAT on most games with a NAT and a FW rule in Sophos for port 3074 UDP. But there seems to be no way to make MW2 even get to Moderate NAT. Yet, with UPnP in between the game and Sophos, or pfsense in the past, it just works...

Now, if I could get this to work with the right rules, I could potentially turn off UPnP in pfsense (my main firewall) and feel a little bit more secure, right.
Why this even popped up was because I just managed to get a second IP from my ISP which made playing around with different firewalls and configs a lot more convenient. And most importantly I can do it without disturbing the peace at home...

Anyway, many, or most, games require you to open some ports in the router in order to be able to do certain things. Just playing a game on a public server may not be an issue, even when the game reports Strict NAT. The game, as does every application, will reach out using whatever port it is designed to use and find e.g. Deamonware servers to get the list of active servers to play on.

But if you want to host a game, to play with your friends, you have to have at least Moderate NAT. And Open NAT is desired since also those with Strict will be able to access your server then.

So for most or all other games that are being played in our home, it's as simple as looking up what ports to forward, and add the rules, and you typically get Open NAT.
Which is what I wrote in reference to opening port 3074 on Sophos, to get Open NAT on the other games, when behind the second router. And this works fine also when directly connected to Sophos.

For most games this is enough:
internet -- (wan) Nat rule Port 3074 Router 1 (lan) ---- (wan) Nat router 2 (UpnP) (lan) ---- PC

But the game in question is using ports in a strange way, and I can't figure out what's going on. Even if you open all the ports that are listed for that game, you still get Strict NAT. And if you ONLY use UPnP, all that shows up in pfsense Status page are Ports 28960 and 28961. So these have been requested as port forwards alhtough both show internal port 28960 (which is the port listed to be opened if playing on one PC).
Like I also mentioned, to get this to work in earlier versions of pfsense, before some updates in UPnP, you had to use Hybrid Outbound NAT and make sure to set Static Port in the Translation section. I'm thinking there is some clue here as to what is going on?

And when I now have placed a second router with UPnP in between, it is handling this "translation" in the way the game likes it. Whilst on the uplink side, is is "playing nice and pure" in terms of which port(s) it is using to reach the internet.

I think I need to do some pcap to see what is going on in the different scenarios.

@Mahadir Ok, well the fact that you use the machine for many other things does not exclude the possibility to replace the ISP router with pfsense. I am myself running pfsense on Proxmox and that same machine is running several other VM's.
The reason you may not want that is either that it is located too far away to make the physical connection to the WAN. Or that you do a lot of restarting of the Proxmox machine which would interrupt your internet connection for all... But typically you do not have to restart Proxmox at all, except when changing HW for example.

It's best if you can assign dedicated ports for pfsense WAN and LAN, and use any other ports on the Proxmox machine for the other VM's and the management interface. I'm guessing you have 3 or more ports in that machine?
And preferably you pass those two two ports thru (IOMMU) to pfsense, which means that Proxmox cannot see them or use them for anything, and pfsense has full ownership of them. If not, just make sure you only assign for example vmbr3 and 4 to pfsense and vmbr0, 1 and 2 can be used for other VM's, or however many ports you have.

When it comes to DMZ, that has to be done towards a specified target machine which means you want to give pfsense a fixed IP. In pfsense you keep the WAN interface config type as DHCP. And you decide for an IP and set that in the SFR router. If you disable and then enable the WAN interface, it will pick up the new address from the SFR router. But you can never get your public IP on the LAN side of their router unless it has Bridge Mode.
So once you see the correct IP in pfsense interface, you can go to the DMZ settings in the SFR router and apply that to the IP that pfsense has. Now all ports are opened towards pfsense and you should be able to access your exchange server from the internet, as long as you have done the port forwarding (Firewall > NAT) in pfsense.

@uberlousanis Yes, so far it's working with static IPs.

@hugoeyng
Obey @johnpoz suggestion and sniff the traffic using Diagnostic > Packet Capture on pfSense.

Select the INFIX interface and state 25001 at the port filter. Start the capture and then try to check the port with canyouseeme or alike from outside.

If there are no packets, something is wrong in front of pfSense.
If you see incoming packets, but no responses, go the internal interface, where the destination server is connected to.

@William-Bento-Rodrigues Forwarding port 53 would provide DNS, but the workstation would need to know to use that WAN IP…probably a domain override on the upstream router. But then AD DNS would respond with the DNS Server IP. Lots of monkeying around with that I’d think.

If you get it to work you’ll presumably need other ports too for instance SMB to pick up netlogon/group policy. Not sure exactly which are needed for the “join” part.

Setting up static routes to the server subnet without NAT seems easier…?

@Ghost-0 if you want to remove the auto nat rules, you would have to go to manual mode.

@SteveITS I should have double checked that the server was listening on the default port.

sorry for making the post as there was nothing wrong with how Pfsense was working. I just had to change the port forwarding to the port the server was listening on and it all started working.

@Shan-lapierre said in Monitor NAT rules:

And infact my NAT rule was created whit "Pass" flag and pf doesn't created any fw rule.

I'm still looking for a usage of that "Pass" case ^^

Normally, a NAT rule translates traffic coming (initiated) somewhere on 'the WAN' (the Internet) and the address (WAN IP) (and port) has to be mapped == translated (a,d port) to a LAN addresses, so it can reach this device.
This needs of course a WAN 'firewall' rules, as by default nothing can enter the WAN - everything is blocked by default.
A NAT rule without an accompanying firewall rule .... won't work, as traffic will never reach the NAT rule, as traffic can not enter into the WAN interface.

I'm not saying other types of NAT exit, they do.

From what I've read :

receive traffic to my firewall on a specific port from a specific public IP.

Everything is working (so the external traffic reaches me on an endpoint inside my network that is listening on that specific port).

your use the classic method, and you need a auto generated firewall rule on the WAN interface.

@tman222 said in Port Forward Add Unassociated Filter Rule Not Working?:

Add unassociated filter rule

I can confirm this behavior. An Unassociated Filter Rule is probably not selected often though.

@jrodrigomor said in Outbound NAT (hybrid) not working:

Could you detail what the rule would look like or maybe even show me a print of this configuration?

Here is an example, I have an outbound nat that says if you go out my ns1vpn, to nat to that address.. A rule that would force traffic out that gateway is placed on the interface where you have traffic you want to route out that gateway.

policyroute.jpg

You assign the specific gateway to a rule via the advanced when you setup the rule, notice the little gear next to the rule, that shows that an advanced setting was done on the rule.

OK, solved it myself: WAN interface rule needed to specify IP&port of internal (NATted) host. Changed that. Traffic passes.

Thanks!

@Scarecrow4798 said in Internal port redirect:

Would the best way of doing it then be to move dashy to another interface? VLAN?

Sure if this dashy was on a different network that route through pfsense, you could redirect the traffic to a different port.

Seems like of trouble, that could be solved with a simple :port on your bookmark ;)

@Elmojo said in Cannot PF/NAT to save my life...:

@johnpoz Okay, I'll have to dig into the docs a little and see where I need to go from here.
I'm happy with using Clouflare, if it's built into pfsense. I only had a duckdns account because it was referenced in a tutorial I was following for another service a while back.

Thanks again for all your help. Hopefully I can take it from here, but I can't swear I won't have another couple Qs as I get all this untangled. :)

Duckdns have good support info on their page.

Go to their install page https://www.duckdns.org/install.jsp
Select pfsense and then in the drop down select which one of your domains you want to use.

The page will then update to provide you with a URL looking like this:
https://www.duckdns.org/update?domains=[DOMAIN]&token=[TOKEN]&ip=%IP%
Where DOMAIN and TOKEN are generated from your account.

In pfsense > services > Dynamic DNS, create a client and set the Service type to Custom.
Select your interface to monitor and send update from (WAN typically).

Then all you do is paste the URL you got from duckdns into the Update URL field.
Type OK in the Result Match field, add a description if you like and click save.

@frankz
For a quick start this Lawrence video may help: https://www.youtube.com/watch?v=gVOEdt-BHDY

It should cover all what you need for above aims.

For what it's worth. By setting my outbound rules up manually and having them use static ports, the issue seems to be resolved.

Why the old appliance did not need this, and the new one does, I do not know. But hey, it works now!