pfSense 2.7.2 port forward port 80 443 22 21 etc blocked

cougarmaster

I checked with my ISP and all the port other than port 25 are not blocked the firewall is definitely dropping the connection for the specified ports to this server.

Gertjan

@cougarmaster

This :

is the default final 'hidden' firewall rule that blocks everything.
If your WAN firewall rule list is empty, this will be the WAN default behavior : block everything.
If you have rules on your WAN interface, classic firewall rules to reach a service port on pfSense, like the OpenVPN server, these will be tested/used first.

These are mine :

The first one (and related second) are classic firewall rules, as I have a OpenVPN server running on pfSense. This servers listens on the WAN interface, so I have to unblock it.

The third rule : same thing using TCP port 4949 : a munin monitoring host. Note that is munin instance is only accessible from devices on the Internet that are listed in the SYS alias, and no one else.

The fourth rule : same thing, but this is a firewall rule that belongs to a NAT furl : incoming traffic, again from the alias SYS only, gets redirected to the "diskstation2" alias (its 192.168.1.33) , an IPv4 LAN device, my syno NAS.

Important : these counters :

show me that traffic is hitting (matching) the rules, so I know that the rules are getting used.
=> I know that traffic that reached the pfSense WAN interface, was handled by these rules.
if these rules stay at "0" then you might think traffic never even reaches pfSense ... ;)

edit : As I have an upstream ISP router, my WAN has a RFC1918 IP, I had to place related "NAT" rules on the ISP router also.

cougarmaster

@Gertjan Thanks for the reply. I do have those in place I a have been using pfSense for so many years. This is the first time it failed. I happened when I need to change servers because the old server kinda was dying on me and need to change and it was working fine there. After the change everything started to happen. I tried using completely fresh install and did only port 443 it still blocked me. All other ports work perfectly. The web server ports do not work.

Openvpn works
HaProxy ports work
Dockers work
Only web server are blocked

To be clear I checked with ISP and none of the ports other than port 25 is NOT blocked.

Gertjan

@cougarmaster said in pfSense 2.7.2 port forward port 80 443 22 21 etc blocked:

I need to change servers

That's the LAN device, right ? with an - the same as the old - IP address like 192.168.1.10/24 etc
Is this server actually accepting connections from not only LAN, like 192.168.1.0/24 but the entire Internet ? Most often, 'Servers' have also firewalls.

@cougarmaster said in pfSense 2.7.2 port forward port 80 443 22 21 etc blocked:

The web server ports do not work.

Not sure if this can be related : move the pfSense GUI port 443 out of the way, by setting it to some other port number.

cougarmaster

@Gertjan I can access everything from LAN and even access the web sites from LAN with Host Overrides so the server is completely fin and yes all UFW is disabled. Also I never use default ports for firewall and I access it on a different port.

cougarmaster

I think there is something wrong with 2.7.2 was using 2.7.0 fine maybe need to reinstall 2.7.0 and redo everything from scratch since I don't have a backup for that version. This is sad.

Gertjan

@cougarmaster said in pfSense 2.7.2 port forward port 80 443 22 21 etc blocked:

I think there is something wrong with 2.7.2

If "2.7.2" could not handle something basic as a NAT rule, you would see, from the moment it was released, thousands of complaints on this forum.
Don't believe me : fact check right away .... there are none.
So, apply the basic rule : "It's not everybody, it's just you"

Btw : I'm using 24.03, basically the same code / OS etc and NAT just works fine. If it didn't, I couldn't use pfSense anymore.

@cougarmaster said in pfSense 2.7.2 port forward port 80 443 22 21 etc blocked:

I can access everything from LAN and even access the web sites from LAN

That's what I said above already.
From LAN it works.
But NAT rules imply that traffic is not coming from your LAN, but your WAN, to be more precis : any possible IP, not just your local RFC1918 LAN.
LAN traffic from a LAN device to your server doesn't even go through pfSense.

Show your WAN firewall and NAT rules.

cougarmaster

@Gertjan

cougarmaster

@Gertjan Don't get me wrong I was meant to say its not working for me. I am just frustrated why only the standard ports are getting blocked what is triggering the blocks. Of course I will continue to use pfSense as it served me idk 10 - 15 years?

cougarmaster

@Gertjan I think I got it solved maybe it the setting in the Advanced netowrking hardware settings for nic. I will test a bit more to be sure but now I can access the web server no problem. Also thanks for replying and helping.

cougarmaster

@Gertjan I think its a checksum error that is preventing it if I disable the hardware checksum offload it work perfectly so I think that is the main cause. I did forget to mention I was on virtual and I forgot to disable the checksum in there now everything is working as it should I am sorry to cause so much confusion. Thank you again.