Cannot PF/NAT to save my life...
-
@johnpoz said in Cannot PF/NAT to save my life...:
it doesn't even have to be "static" you just want a public IP that is can get unsolicited inbound traffic. Quite often when you have a public IP via dhcp, even though not "static" it rarely changes...
Unfortunately, my ISP are idiots, and no one I've spoken with so far even knows the difference between a static and dynamic IP. The last person told me that my IP was likely to change "due to the activity of my devices". Uh huh, right.
Also, mine changes quite often. My internet just...drops...about 2-3 times per month, and I get a new IP every time it comes back up. So every couple weeks at least, I have a new IP to deal with. It's maddening, to say the least.@johnpoz said in Cannot PF/NAT to save my life...:
You sure you don't just have a isp device in front of pfsense that has the public IP?
I'm fairly sure, but honestly I wouldn't trust that this DSL modem (it's a Zyxel c3000z) isn't pulling some shenanigans without my knowledge. I jumped through all the hoops to get it into bridge mode (I know that's not the proper term, just can't recall exactly what we did right now) so that I can use my pfsense box as the true router.
@johnpoz said in Cannot PF/NAT to save my life...:
Pfsense wan IP shows what?
Looks like this:
Does that help?Sorry for the delay. Today ended up being unexpectedly crazy.
-
@Elmojo that is a public IP.. that is not rfc1918 or cgnat range..
How often it changes - is workable.. especially if its not like every hour or something..
So do a simple test.. Go "can you see me . org".. I didn't put that together but hope you can figure out what the domain is
Now pick a port any port lets call it 6666, send some traffic to the IP it shows for yours.. While you do a packet capture (under diag menu)... Do you see this traffic..
Here doing the same test..
Doesn't matter if fails, what we are looking for is actually gets to pfsense wan interface.. You prob want to verify that the IP can you see me shows is the same IP pfsense has for its wan.. If not maybe your behind a proxy?? But those IPs should be the same.. See mine starts with 209, from what your posted should start with 75 and last number should be 75.. Should be the same address.. Now on your packet capture do you see that traffic get to pfsense... See how my test failed (because I have nothing listening on that port) but you can see that pfsense saw it..
If you see the traffic then we can for sure get stuff working for you, and your good to go - and we can work out how to setup a ddns so a fqdn (fully qualified domain name) points to your public IP - even if it changes down the road, and will be updated if does in like 5 minutes.. etc.. But first thing we need to validate is traffic that is unsolicited can be seen by pfsense. That is what this test will validate.
edit: I just looked and the IP you last talked to the forums does line up with that 75.x.x.75 address - I see some other ones in a different range 174.x.x.x and another one that is close to the 75.x.x.75 address but slightly different network.. What I can not tell is how long ago those other IPs were used.. But currently your IP you talked to the forum with does line up with what you posted.. Maybe those 174 address was you talking to the forum from your phone, or elsewhere - or maybe your IP does change, but again to be honest even if changed every hour - as long as you can get to it from the public internet we can work with that.. If it changes every hour it could be problematic - but still workable.. We really just need to validate that pfsense can see unsolicited inbound traffic so we can forward it to something behind pfsense.
-
@johnpoz Oh man, thank you so much. This is super helpful!
Okay, I ran the capture, using that example port.
Here's the result...
Is it odd to have that 1st line in there? This is the result of a single "ping" of the canyouseeme tool.
I don't think I've ever seen an IP in the 52.x range.
In any case, you're correct, it's getting to by pfsense box in some form, so that's good, right?!@johnpoz said in Cannot PF/NAT to save my life...:
I just looked and the IP you last talked to the forums does line up with that 75.x.x.75 address - I see some other ones in a different range 174.x.x.x
Those are both me. My IP was in the 174.x range until recently. It just changed to the 75.x last week.
I swear, these clowns (my ISP) are all over the map. lol -
@Elmojo Well that means you answerd.. that 52 address is the can you see me site sending traffic to you.. You shouldn't of sent an answer.. Unless you have a "reject" rule o your wan? Or you had something listening on port 6666?
That is why you saw what you saw, but you see 3 attempts trying to talk to my IP on that port.. What are your wan rules - it is normally bad practice to setup a reject on your public facing interface.. Because your going to case pfsense to send traffic for every little noise that hits your public IP..
But yes that is good news - we can see the traffic coming to pfsense, so yes we can forward that to something behind pfsense.. And you should be good to go..
If you had a reject rule on the top of your wan lists, that could explain why none of your port forward attempts worked.. because your reject rule blocked it from getting to your port forward allow rule.
Could you post a picture of your wan rules? Here is mine as example - you will see multiple port forwards
The reject I have are for specific ports, for traceroute to work to my public IP.. Not something you would normally see, but I have it for a specific reason.. And I understand exactly what its there for ;) Normally you would not want reject rules on your wan.. Lan side they can be very useful - but normally not good to put reject on your wan side interface that faces the public internet. You would just use block, which just drops traffic and doesn't answer in anyway.
Do you have any rules in the floating tab?
-
@johnpoz said in Cannot PF/NAT to save my life...:
Unless you have a "reject" rule o your wan?
I do indeed. I was placed there buy user "silence", who was helping me get things set up. I have no clue what it does, they just told me it was a good idea. :)
Here are my rules:
You see that most of them are disabled. Those are previous attempts to get various services working, which never panned out. Most of the filed attempts I deleted, but these I've left in place to remind me of what didn't work, and provide a placeholder for things I want to come back to later.No, nothing in the floating tab.
I'll also note that none of the services you see implied by these rules are currently active or working.
For exmaple, I'm not running NPM, or OpenVPN.I will say that my BlueIris remote seems to kinda work, sometimes, so maybe that one is okay? lol
-
@Elmojo well your rustdesk ones are not going to work because they are below your reject.. Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.
You really have no need for that reject all rule.. Because there is default deny at the end.. I have specific block rules at the end of mine because I do not log the default deny (I turned that off) and only want to log what those deny rules trigger on.
But your 81 port shows open
Notice those below the reject rule are 0/0 for states, that 2nd 0 means the rule has never been triggered.. Notice your 81 rule and other ones have values that means that much traffic has been allowed..
If I hit your 81 port I get this
If you want to turn the default deny, but log specific traffic then you can put a block rule at the end.. Like you see in my rules. But a reject to wan, especially a any any is not a good idea.. Your forcing pfsense to answer any bit of noise that touches your wan that you do not allow.. That is just extra traffic your sending for no valid reason.. My reject is only for specific ports, and only from US IPs, because I want to be able to run a traceroute to my IP and see the response at the end of it.
-
@johnpoz said in Cannot PF/NAT to save my life...:
You really have no need for that reject all rule
Fair enough. Like I said, especially at the time this was all set up, I knew next to nothing about rules and such, and was relying on the knowledge of others. I'll disable it.
@johnpoz said in Cannot PF/NAT to save my life...:
But your 81 port shows open
How? Did I publish my external IP somewhere? I don't mind you having it, but I'd prefer for it not to be flapping in the breeze, so to speak. lol
I'm not surprised that it's open. That service is working fairly well, until my IP changes, and I have to figure out what the new one is... I assume there's a way around that, which we'll get to, using duckDNS or similar?@johnpoz said in Cannot PF/NAT to save my life...:
a reject to wan, especially a any any is not a good idea
I'm a believer. :)
Here's my new ruleset. Does this look better?
I notice that your last rule shows "commonUDP" as the destination port. I don't see that as a selectable preset. Did you build a custom range and name it or something? -
@Elmojo said in Cannot PF/NAT to save my life...:
Did I publish my external IP somewhere
You gave the first octet, and like I said earlier that matched up with you talked to the forum from, so I figured it was still the same.. Only mods and admin can see that info.. So no its not flapping in the breeze ;) and as you saw I didn't say anything that you didn't say already for what your ip.. was.. And hid the IP I talked too..
btw neither your 1880 or 18443 seem to be open..
From your rules you are sending that to a different IP than your 81, could be that box is not listening on those ports, or it has its own host firewall? Or not using pfsense as its gateway?
But clearly you have a public can talk too, and from those 2nd rules showing some traffic too them, points to something behind not right.. As traffic is getting to pfsense.
My two rules that I log are specific, I only log syn traffic to tcp.. notice the little gear next to mine. And commonudp is an alias I created that only has specific ports in.. That would be interesting to see, but I don't want to see every single stupid piece of udp noise that hits my box. Only ones that are of significance on specific ports..
Here is a snip of that alias
The list is dated, 2019... I should prob go through and remove/add stuff
-
@johnpoz said in Cannot PF/NAT to save my life...:
You gave the first octet, and like I said earlier that matched up with you talked to the forum from
Oh, I see. Cool deal.
@johnpoz said in Cannot PF/NAT to save my life...:
btw neither your 1880 or 18443 seem to be open..
There are no services listening on those ports. They are for NginxProxyManager, and I had to edit the port assignments (it defaults to 80 and 443) because those were in use by another docker. I've discovered since then that there's another way to handle that situation, but I'm not using that service right now anyway, although it is one of those that I hope to get up and running sometime soon.
@johnpoz said in Cannot PF/NAT to save my life...:
But clearly you have a public can talk too, and from those 2nd rules showing some traffic too them, points to something behind not right.. As traffic is getting to pfsense.
Sorry, you kinda lost me there. It almost looks like parts of your sentence got deleted or something...?
@johnpoz said in Cannot PF/NAT to save my life...:
My two rules that I log are specific, I only log syn traffic to tcp.. notice the little gear next to mine
Okay, I see...maybe. Are you saying I don't need those rules, I don't need both of them, or I don't need to log them? I don't think I'll be able to recreate your UDP rule anyway, since I have no idea how to create alias lists. Is it even necessary? I'm not trying to complicate things here.
BTW, what does the gear icon mean? I haven't found an explanation for it yet. -
@Elmojo No its not necessary. I have those rules because I want to log specific traffic, but not all that is denied. I turned off the logging of the default deny rule. If you have not done that and you deleted those two rules everything would be logged anyway.
What I meant to say we clearly are sure your IP is public, and traffic can get to it. One being that the port 81 shows open... The others showing traffic got to them see the 2nd number in the states column..
-
@johnpoz said in Cannot PF/NAT to save my life...:
No its not necessary. I have those rules because I want to log specific traffic
Gotcha! I'll delete them. Simpler is better. :)
@johnpoz said in Cannot PF/NAT to save my life...:
What I meant to say we clearly are sure your IP is public, and traffic can get to it. One being that the port 81 shows open...
Oh, I understand. Okay, great. So what's the next step... ?
You mentioned something earlier about setting up a FQDN through a ddns. I assume that's the way to get around having to deal with my ISP changing my public IP every couple weeks?I already have an account and domain set up through duckdns, if that helps any. I'm totally fine abandoning that and using something else if you think it's better. I haven't touched it in a while, it may be inactive. I also have a cloudflare account, if that's of any use.
-
@Elmojo you can use whatever ddns you want.. I just use cloudflare, but sure if duckdns support ddns?
Just set it up in pfsense. But I don't see them listed. You might have to use custom, or setup some client behind pfsense to use some script or whatever that they might provide
Or just use one of the many services.
edit:
A quick google found these instructions for pfsense and duckdns dynamic dnshttps://www.wundertech.net/use-duckdns-to-set-up-ddns-on-pfsense/
-
@johnpoz Okay, I'll have to dig into the docs a little and see where I need to go from here.
I'm happy with using Clouflare, if it's built into pfsense. I only had a duckdns account because it was referenced in a tutorial I was following for another service a while back.Thanks again for all your help. Hopefully I can take it from here, but I can't swear I won't have another couple Qs as I get all this untangled. :)
-
@Elmojo said in Cannot PF/NAT to save my life...:
@johnpoz Okay, I'll have to dig into the docs a little and see where I need to go from here.
I'm happy with using Clouflare, if it's built into pfsense. I only had a duckdns account because it was referenced in a tutorial I was following for another service a while back.Thanks again for all your help. Hopefully I can take it from here, but I can't swear I won't have another couple Qs as I get all this untangled. :)
Duckdns have good support info on their page.
Go to their install page https://www.duckdns.org/install.jsp
Select pfsense and then in the drop down select which one of your domains you want to use.The page will then update to provide you with a URL looking like this:
https://www.duckdns.org/update?domains=[DOMAIN]&token=[TOKEN]&ip=%IP%
Where DOMAIN and TOKEN are generated from your account.In pfsense > services > Dynamic DNS, create a client and set the Service type to Custom.
Select your interface to monitor and send update from (WAN typically).Then all you do is paste the URL you got from duckdns into the Update URL field.
Type OK in the Result Match field, add a description if you like and click save.