inbound traffic on QNAP Virtual Machine

siwik75

I have pfsense 2.3.4 CE
igb0 on 10.0.1.11 -> Internet Router 10.0.1.200
igb1 on 10.0.0.250 <-> LAN

QNAP on static ip 10.0.0.98
VM inside on static ip 10.0.0.53

I am trying to allow traffic from external internet IP from AWS EC2 on a specific port (1521 or 9090)

I tried to add NAT and rule on pfsense in multiple ways but I never see traffic reaching 10.0.0.53 (checked with tcpdump)
and on pfsense I see <external ip> <-> 10.0.1.11:9090 CLOSED:SYN_SENT

though the ports are open on .53 I can connect from within LAN on differnt machine.

How can I solve this? I need some expert advise

NightlyShark

@siwik75 Ports open on LAN are not the same ports that need to be open on WAN. Each INTERFACE has its own 65535 ports. Thus, the ports need not only be open on .53, but also on PfSense WAN. "But I used NAT rules, and port forward and..." doesn't matter. NAT and port forward are processed before the firewall rules, and WAN has a deny all in rule. So, on that interface, the packet arrives, it's dest ip changes from 10.0.1.11 to 10.0.0.53, but that doesn't cause WAN to show any sympathy, because the direction is IN. It just coldly shoots down the packet. You can see this if you activate the option to log default deny rules (in the firewall logs options tab).