Confused about port forwarding
-
@23roadsdiverged said in Confused about port forwarding:
non-PC devices (specifically a multifunction printer and a fire panel) trying to communicate outside the LAN are not working properly.
So those are connected behind pfsense - and they get an IP from the dhcp server running on pfsense. Did you change your network from when you installed pfsense, like from 192.168.42/24 to pfsense default of 192.168.1/24 ?
Out of the box there is nothing to do with rules on the lan, it defaults to any any - did you change that? Is it possible these devices are hard coded IPs on the devices? And they are pointing either to different gateway IP? Or dns that your not allowing?
-
@johnpoz The LAN default gateway address (10.x.y.z) is the exact same on both old and new devices, as is the subnet mask.
I have tinkered with the NAT/firewall rules, although 2-3 years ago we had someone attempt to configure it unsuccessfully, and so there was already a firewall rule in place from him. Should I clear all firewall rules? I had thought it was implicit deny... I can list out current NAT/firewall rules if that would help.
They both have DHCP with a limited range, but the given devices have reserved ("static"?) IP addresses outside of the DHCP range. I initially had the printer set as a static IP, but then changed it to dynamic; once pfSense gave it a dynamic IP, I then used pfSense to set it's MAC address to have the same static IP as before.
The fire panel has a static IP (possibly two) that was/were programmed into it by the Fire Panel company and one seems to respond to pings but show offline, while the other does not respond to pings but shows up as online. I was able to find the MAC address of the fire panel and reserve it the same static IP in pfSense as it had previously, I think. Both IP addresses are also outside of the DHCP range.
Regarding DNS, I am not sure how the fire panel is configured. The DHCP settings originally had our AD DS controller using google DNS (8.8.8.8 and 8.8.4.4), which I have switched on both the AD DS controller and the pfSense box to instead point to the Quad9 DNS (9.9.9.9 and 149.112.112.112). Should I switch that back?
-
@23roadsdiverged what did you change the firewall rules too?
Out of the box any device on the lan network of pfsense would be able to go anywhere, it default to any any rule..
So unless your running a captive portal on pfsense or something.. Out of the box any thing on your lan can go anywhere
If your saying other devices are working, and you have the default rules, nothing in floating - no weird port forwards or outbound nats setup on the lan.. Then anything should work that is using pfsense as its gateway.
Other thing comes to mind is where your trying to go or test whatever on say a printer would be dns is failing to resolve where they are trying to go..
If all your settings are to allow and still failing whatever your doing to test, I would sniff on pfsense lan interface for the IP of the device to validate its actually sending you traffic, and dns its doing is getting a valid response, etc..
-
This post is deleted! -
This post is deleted! -
@23roadsdiverged those look pretty messed up. Why would you do a port forward for traffic hitting your wan on 10.0.0.251 IP to the same IP?
From your outbound nats, looks to me like you created a vip on pfsense for this 10.0.0.251 address?
What are you wanting to talk to what here? What are the IPs on your pfsense wan and your lan? If you have something on the pfsense wan network and you want it to talk to something pfsense. And its rfc1918 then you would need to turn off the block rfc1918 rules, and then either allow the traffic you want to forward to where. But your forwards are forwarding destination IP to the same IP??
But yeah none of that stuff makes any sense, and sure and the hell isn't going to work.
-
@johnpoz There is nothing in floating, although I believe I am missing the default rules you mentioned. I should probably clear out all the rules I've made and start from scratch, and see if that work?
I'm not sure I know how to do what you are saying regarding DNS and the printer.
-
@23roadsdiverged the default rules are there, but your port forwards are a mess.. never going to work.
What are your networks on your wan and lan.. What IP is trying to talk to what?
-
I have cleared all but the default rules now. Will go check to see if printer works now...
I was told by the Fire Panel company that the Fire Panel needs to be "whitewalled"... googling that term shows nothing. I believe they said it also needs to accept any incoming messages for it.
WAN is one of the static IPs from Spectrum. 24.153.213.114 /29
LAN is 10.0.0.1 /24
-
@23roadsdiverged said in Confused about port forwarding:
LAN is 10.0.0.1 /24
Ok pfsense IP is 10.0.0.254? Why do you have a 10.0.0.251/32 IP setup on pfsense?
What IP pfsense lan?
What network are these fire panel or panels or fire panel servers sitting on? Do you need some IP on the public internet 1.2.3.4 or something that needs to talk to whatever the firepanel IP is that is on your 10.0.0 network behind pfsense?
-
@johnpoz Fire Panel is both 10.0.0.251 and 10.0.0.254, from what I can tell. pfSense is 10.0.0.1.
Multifunction printer is 10.0.0.201
I was trying to get port forwarding to match what was on Netgear Genie.
Yes, but on the Netgear router I never needed to know/enter the public IPs that need to talk to the Fire Panel. From looking in Diagnostics -> States, it is attempting to communicate to two public IPs: 64.9.116.20 and 66.153.46.154 through port 5050. Doing a tracert, those lead to getting hung up on the following IP: 206-169-51-51.static.ctl.one [206.169.51.51]. The Fire Panel company did say that they had to turn off their receiving device due to it receiving thousands of messages that it cannot establish a full connection. And from what they have told me in the past, it needs to accept incoming connections on different ports than what it sends out on. I think.
-
This post is deleted! -
@23roadsdiverged you don't need to know the public IPs that want to talk to some internal IP, unless you want to lock it down.. But there is nothing in your rules that would stop 10.0.0.x from talking to some public IP.. But if you need the public internet to be able to talk to 10.0.0.254 that is behind pfsense.
Then that would a port forward on your wan (wan address), that forwards the port to that IP..
example.
by default pfsense would create the wan firewall rule to allow the port forward
There is no reason you would need a "route" to get to 10.0.0.251, because pfsense knows how to get to anything on your 10.0.0.0/24 network because it is attached to it.
-
@johnpoz Ok, I have cleared out all misconfigured NAT rules and now have only the block Bogon and RFC 1918 ones showing. I then added the rule you described. Here's another thing I don't understand... in the Netgear, this 10.0.0.254 address was not listed in the IPv4 leases... but the 10.0.0.251 was. But the fire panel worked just fine. The 10.0.0.9 IP address listed in the port forwarding also was listed in the IPv4 leases, so I am not sure what that was for (it is also outside of the DHCP range).
-
@23roadsdiverged, if the device is setup up as static IP on the device, then no it wouldn't be listed in some dhcp servers lease table.
-
Sorry, what I meant was in the Netgear it was listed under "Connected Devices" with the static IP, along with all other connected devices, whether static or dynamic IP.
In Netgate/pfSense, the only similar screen I have found is the DHCP leases, I don't see where to access a similar "Connected Devices" page like what the Netgear had. But yeah, pfSense only lists static IPs on that list if I manually configure a device that initially shows up as a dynamically assigned IP.
-
@23roadsdiverged Check the ARP Table.
-
This post is deleted! -
@rcoleman-netgate Ok, so when I looked, sure enough the 10.0.0.251 was not showing up in the ARP table. Feel dumb that I didn't realize the "Connected Devices" on the Netgear is the ARP table... I then reassigned the MAC address to 10.0.0.254, and it shows active and now shows up in the ARP table.... I will see if that, combined with the proper port forwarding from @johnpoz allows communication. Ty both!
-
@23roadsdiverged said in Confused about port forwarding:
@johnpoz
Here is the packet sniff for the printer:
11:34:49.095174 ARP, Request who-has 10.0.0.201 tell 10.0.0.87, length 46
11:34:58.364292 IP 10.0.0.201.5353 > 224.0.0.251.5353: UDP, length 45
11:35:00.033978 IP 10.0.0.201.5353 > 224.0.0.251.5353: UDP, length 45
11:36:19.876493 ARP, Request who-has 10.0.0.201 tell 10.0.0.83, length 46
11:37:10.958889 IP 10.0.0.201.138 > 10.0.0.255.138: UDP, length 215
11:37:11.003874 ARP, Request who-has 10.0.0.201 tell 10.0.0.87, length 46
11:38:11.019862 IP 10.0.0.201.138 > 10.0.0.255.138: UDP, length 215
11:38:41.897896 IP 10.0.0.201.41839 > 8.8.8.8.53: UDP, length 36
11:38:41.897990 IP 10.0.0.201.41839 > 8.8.8.8.53: UDP, length 36
11:38:41.927469 ARP, Request who-has 10.0.0.201 tell 10.0.0.1, length 28
11:38:41.927725 ARP, Reply 10.0.0.201 is-at 00:80:91:b8:42:d5, length 46
11:38:41.927741 IP 8.8.8.8.53 > 10.0.0.201.41839: UDP, length 206
11:38:41.947990 IP 8.8.8.8.53 > 10.0.0.201.41839: UDP, length 254
11:38:42.002268 IP 10.0.0.201.37642 > 8.8.8.8.53: UDP, length 44
11:38:42.032853 IP 8.8.8.8.53 > 10.0.0.201.37642: UDP, length 130
11:38:42.060924 IP 10.0.0.201.47100 > 8.8.8.8.53: UDP, length 47
11:38:42.150572 IP 8.8.8.8.53 > 10.0.0.201.47100: UDP, length 115
11:38:42.151309 IP 10.0.0.201.37955 > 8.8.8.8.53: UDP, length 47
11:38:42.239046 IP 8.8.8.8.53 > 10.0.0.201.37955: UDP, length 115
11:38:42.239685 IP 10.0.0.201.38925 > 8.8.8.8.53: UDP, length 48
11:38:42.340426 IP 8.8.8.8.53 > 10.0.0.201.38925: UDP, length 116
11:38:42.342240 IP 10.0.0.201.43624 > 8.8.8.8.53: UDP, length 41
11:38:42.342288 IP 10.0.0.201.43624 > 8.8.8.8.53: UDP, length 41
11:38:42.428810 IP 8.8.8.8.53 > 10.0.0.201.43624: UDP, length 109
11:38:42.436669 IP 8.8.8.8.53 > 10.0.0.201.43624: UDP, length 109
11:38:43.607172 IP 10.0.0.201.50587 > 52.96.182.194.587: tcp 0
11:38:43.653268 IP 52.96.182.194.587 > 10.0.0.201.50587: tcp 0
11:38:43.653674 IP 10.0.0.201.50587 > 52.96.182.194.587: tcp 0
11:38:43.691144 IP 52.96.182.194.587 > 10.0.0.201.50587: tcp 111
11:38:43.691554 IP 10.0.0.201.50587 > 52.96.182.194.587: tcp 0
11:38:43.691796 IP 10.0.0.201.50587 > 52.96.182.194.587: tcp 18
11:38:43.732928 IP 52.96.182.194.587 > 10.0.0.201.50587: tcp 206
11:38:43.773247 IP 10.0.0.201.50587 > 52.96.182.194.587: tcp 0
11:38:43.817188 IP 10.0.0.201.50587 > 52.96.182.194.587: tcp 10
11:38:43.850739 IP 52.96.182.194.587 > 10.0.0.201.50587: tcp 29
11:38:43.851159 IP 10.0.0.201.50587 > 52.96.182.194.587: tcp 0
11:38:43.851611 IP 10.0.0.201.50587 > 52.96.182.194.587: tcp 169
11:38:43.894592 IP 52.96.182.194.587 > 10.0.0.201.50587: tcp 1448
11:38:43.894612 IP 52.96.182.194.587 > 10.0.0.201.50587: tcp 1448
11:38:43.894629 IP 52.96.182.194.587 > 10.0.0.201.50587: tcp 1084
11:38:43.895250 IP 10.0.0.201.50587 > 52.96.182.194.587: tcp 0
11:38:43.929558 IP 10.0.0.201.50587 > 52.96.182.194.587: tcp 170
11:38:43.967681 IP 52.96.182.194.587 > 10.0.0.201.50587: tcp 51
11:38:43.968876 IP 10.0.0.201.50587 > 52.96.182.194.587: tcp 47
11:38:44.010279 IP 52.96.182.194.587 > 10.0.0.201.50587: tcp 245
11:38:44.036481 IP 10.0.0.201.56031 > 8.8.8.8.53: UDP, length 44
11:38:44.050500 IP 10.0.0.201.50587 > 52.96.182.194.587: tcp 0
11:38:44.074175 IP 8.8.8.8.53 > 10.0.0.201.56031: UDP, length 130
11:38:44.075845 IP 10.0.0.201.50587 > 52.96.182.194.587: tcp 41
11:38:44.115549 IP 52.96.182.194.587 > 10.0.0.201.50587: tcp 47
11:38:44.116014 IP 10.0.0.201.50587 > 52.96.182.194.587: tcp 0
11:38:44.116295 IP 10.0.0.201.50587 > 52.96.182.194.587: tcp 59
11:38:44.151756 IP 52.96.182.194.587 > 10.0.0.201.50587: tcp 0
11:38:44.152189 IP 52.96.182.194.587 > 10.0.0.201.50587: tcp 47
11:38:44.152632 IP 10.0.0.201.50587 > 52.96.182.194.587: tcp 47
11:38:44.243954 IP 52.96.182.194.587 > 10.0.0.201.50587: tcp 0
11:38:56.070231 IP 52.96.182.194.587 > 10.0.0.201.50587: tcp 192
11:38:56.070872 IP 10.0.0.201.50587 > 52.96.182.194.587: tcp 35
11:38:56.107991 IP 52.96.182.194.587 > 10.0.0.201.50587: tcp 77
11:38:56.108724 IP 52.96.182.194.587 > 10.0.0.201.50587: tcp 0
11:38:56.109364 IP 10.0.0.201.50587 > 52.96.182.194.587: tcp 0
11:38:56.147361 IP 52.96.182.194.587 > 10.0.0.201.50587: tcp 0This packet capture is for when the printer is trying to send a scanned page out through the email.
