Port Forwarding stopped working after upgrading to 2.8.0

comet424

so like

if i type

www.example.com on the local network in the web browser i get the website
if i ping www.example.com on the local network it pings and returns my ip addressand my TTL

but if i use computer on the outside of pfsense
and i
goto www.example.com in the broswer i just get blank cant be found
and if i ping www.example.com on the outside of pfsen it sees the ip address but returns nothing
as it gets destination error..

hope that helps too..

and Windows server is up to date and the firewalls private and public are disabled

i tried
system logs firewall under status normal view

and i searched for 192.168.0.30 the webserver address and it didnt find any ip

comet424

so i did a ping from the remote computer to the www.example.com the example website

it gets ip but the request time out... the states filter shows this if it helps

SteveITS

@comet424 You will need to forward ICMP to forward pings. I don't know that I've tried to forward ICMP and use reflection on that.

Is one of those destinations your remote IP? They look more like outbound connections, at a glance.

comet424

@SteveITS the 67.70.206.175 is the remote computer not connected to pfsense so i pinged on there the webaddress

and how do i enable icmp thats for pinging right just the port on port forward? or LAN?

and here i did states again and on the remote computer i did the website address in Internet Explorer and got

and i did a kill states before i tried webpage...

comet424

so i added icmp on the port forward but got request timed out still

port forward side

stephenw10

@comet424 said in Port Forwarding stopped working after upgrading to 2.8.0:

the X.X.206.175 is the remote computer not connected to pfsense

Nope that's your external WAN IP address in those states.

But in the state table above we can see incoming connections from X.X.206.115 to the WAN address and they are being correctly forwarded to the internal server IP.

I assume you have that filtered for WAN only? If you allow all interfaces you should also see a corresponding state on LAN.

The state you see on WAN shows traffic both ways BUT only 1 packet so it's probably just being refused.

stephenw10

Where exactly are you testing from? How is it connected? It's in the same subnet as your WAN.

I can open an http connection to that site and ping it OK from my actual remote location.

comet424

@stephenw10

so the way i testing is

my modem has pppoe and has wifi and lan
so i connect wifi for the remote comp
and its the 67.70.206.115

and then i do ppoe on the WAN connection to the modem
and it logs in a 2nd time
and i get the
67.70.206.175 so i have 2 different WAN interfaces

filtered for WAN only if you mean states? then ya i do the screen shots above
if you mean filtered that i only have port forward on WAN to 192.168.0.30 then ya only Wan

like at moment my OpenVPN started working ok on the remote comp i using.. but the Webserver address still show nothing and i cant ping

comet424

and i do this wifi remote to do testing to make my network work outside of the network on the internet side and it all worked.. before back in 2.7.2 but i not sure if its a problem with my modem or it didnt upgrade right and i gotta start overr by format and then force update from the xml file so not sure

or maybe my modem doesnt like the new pfsense i dunno

comet424

@stephenw10 since you said you can ping my pfsense box
let me know if this works

www.mcproductions.mine.nu its my old dj website as i wanna upgrade it to AI generated website

but i cant ping it on the remote side.. but if it works for you to goto website and to ping it

the i guess my modem doesnt let me to do what it could before

and my openvpn client can connect to pfsense on the remote comp but not the websites and i need to test those other ports i have for port forwarding

stephenw10

@comet424 said in Port Forwarding stopped working after upgrading to 2.8.0:

let me know if this works

www.mcproductions.mine.nu

Yup that works.

Ok probably you're hitting an asymmetric routing problem that was previously allowed by floating state policy in 2.7.2. This has been switched back to Interface Bound in 2.8 which is more secure:
https://docs.netgate.com/pfsense/en/latest/releases/2-8-0.html#general

You can try setting back to floating to test if you need to. However from something inside the WAN subnet like that is not really a good test. Especially if it's through an ISP router that may or may not be doing something! Much better to test from real external address like a tethered cell phone if you can.

comet424

@stephenw10
so i tried the floating and even rebooted pfsense.. but my remote comp still cant do pinging or the website... so its probably what you said the modem could be doing something funky and i need a real external internet to test.. . i dont have a cellphone with internet,. but least you said its working

so ill set it back interface bound policy

i not 100% sure what the 2 options means it kinda sounds like if you have a vpn that it wont leak onto the WAN side you dont need the egress floating ive setup before like a kill switch so if the vpn goes down no internet.. my take it does that kinda thing... if i wrong well i wrong i just trying to guess what it does in simple words terms and not engineer words lol

but ill see about different external internet testing like if i at home depot and use there wifi
be outta the way but least its a different internet to test...,.. here i was going to do a restore from my config file and see if that would fixed things...

always learning new something everyday... and here my setup testing was flawless probably the provider updated the modems firmware and thne things bugger up too lol

i appreciate your guys help as i wouldnt have learned my testing remote comp isnt really a good idea

Gertjan

@comet424

Upgrading pfSense wouldn't break any NAT setup.
What did break your NAT is most probably : what was your pfSense WAN IP before you've upgraded ?
And after ? If your WAN IP is "RFC 1918" then don't look any further : you have to change the NAT rule in the up stream, probably ISP router.

Next step : every NAT rule has a WAN firewall rule - as traffic has to able to get into the WAN interface.
Here are mine :

Observe the States column. When traffic start to enter, the Sates counter start to go up.
If they stay at 0/0 then you'll know the traffic never reaches the pfSense WAN interface, so the issue is upstream.

Anyway : https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat-port-forwards.html is the check list to follow.

comet424

@Gertjan
ah ok for me my WAN is PPPOE and i use a login and password and then get a dynamic ip
not sure how that RFC 1918 i remember seeing that and doing it for something in the past

ill check i did find out apparently my websites were working but the way i was testing is aysemetical which not sure what that means or what not

but i did find another issues i not sure if its my network card or what not
i got a 10Gtek Dual 1.25GB nic supposed to be intel as i wanted to be compatible with pfsense

but ive been experiencing since i upgraded to 2.8.0 that there so i not sure if 10Gtek company if its compatible with pfsense or not

as networking works.. and then at random times it will work partially say accessing the pfsense page you can access the page login but thats it or you loose connection.. and then might come back.. Vlans come and then they go with my cameras.. but once you reboot pfsense it works totally again.... its weird had no issues with 2..7.2 so i not sure if its a glitch bad upgrade or card that is slowly faulting but this randomise is also randomly how long between issues before was like ever 15 min to an hour to like a day or 2

stephenw10

That's not a NIC issue, you'd see everything fail if it was. Sounds more like a routing issue or possible something stalling out PHP.

Check the system logs covering the time it happened.

comet424

@stephenw10
sorry delay wasnt around
so what do i check from the system logs? i also gotten this error now a few times but when you try to view it it doesnt work,,, and it worked once

but what i found is say my security cameras on 192.168.10.0 network the shinobi can see the camera but my desktop pc using the reolink on the 192.168.0.0 it looses the cameras in the reolink camera like when you typically reboot pfsense...
and then it comes back or if not i reboot pfsense and then its working again.. is that all routing issues?

so when i go into system logs what am i looking for? what should i scan... and here is the error i get a few times now

would these errors be caused by a routing error? this stuff only been happening after i upgraded to 2.8.0 is there like an extra check box that might been checked after the upgrade ? that i need to toggle off etc.. but ya what do i look for in the system logs specificlly to my desktop pc

i also find if my internet stalls out it stalls out my vpn and my internet will still basiclly work on the WAN side but vpn doesnt i need to reboot pfsense to get internet on vpn side to work again its like it stalls out and then rebooting pfsense solves it... as i can ping like 1.1.1.1 but i cant ping google.ca unless i reboot pfsense but if i ping google.ca on the pfsense box then i can typically ping google.. but not to the desktop

is that also related to routing issue you think i might have

stephenw10

Mmm, if you can hit the login page but nothing beyond it that's almost always PHP stalling or being killed. That is usually a symptom of something else trying to make it do something it shouldn't or can't.

So I would be looking at the main system log leading up the failure to see what might be happening to load up PHP.

comet424

@stephenw10
ya so like majority of the time it will just sit there you cant click the crash reporter link i had that open and i rebooted the pfsense and i was able to click that page later the crash reporter shows nothing

oh and i remember i also have issues
from the desktop pc
i not able to ssh into the pfsense or when the gui page like stalls out i can ssh in and reboot or sometimes i cant and i use a wifi plug on the pfsense to reboot.. also i noticed sometimes when i reboot normal of pfsense it never comes back up i dont currently have a monitor hooked to it.. but to get it to boot back up i toggle the wifi plug and then it boots back up again.. as after a normal reboot and it doesnt come back up within 5 min is an issue

now another thing i remember is if i cant ssh into the pfsense box from my desktop.. i can terminal into my Unraid Server and i can ssh to the pfsense fine.. and if i ssh from the desktop when its not working it will work again after a certain amount of time it just starts working

now i googled what the minum specs for pfsense 2.8.0 and saying needs a quad core with 2ghz.. now my cpu is a Intel(R) Celeron(R) J4105 CPU @ 1.50GHz 4 Core i was thinking of just upgrading my server and give my pfsense my AMD Ryzen 7 5800X 8-Core with an asus tuf x570 motherboard
as you mentioned the php is stalling out if its underpowered now from the upgrade

i did try a re upgrade of pfsense using hte config file but that didnt help..

so what kills or stalls the php is that happening on the desktop or is that happening on the pfsense of a combination of both..

so when i looking in the system log i dont have a php sub tab so how do i look for the php or what am i exactly looking for as i not 100% sure what to look

and do i do anything under the states or routes under the diagnostic page

is there like a diagnostic tool to test the pfsense also? and if the windows 11 desktop php stalling out how do i go about that too..

all i know is if i do a pfsense reboot it solves the problem for a while but the issues can re occur after an hour or several hours or a day or 2.. so its not specific set

stephenw10

Hmm, SSH should still work even if PHP is not responding so that could also just be a symptom.

But after you reboot and regain access to the firewall the system logs should contain some reference to what was happening at the time.

Are you able to connect to the firewall console directly when this is happening?

If there's an issue with the boot drive it might present like this is be unable to log anything. The console would be full of errors though if that happened.

comet424

@stephenw10

ill have to get a monitor on the computer then so i can check when it fails to boot.. does pfsense able to show any like s.m.a.r.t errors if there is any so you can see if there is a problem? and can i run a like ssh shell command to run a diagnostic on the ssd to see if there is an error does pfsense offer that?

as for if i can connect to the firewall directly when its glitching... as of the ssh its been a mix so sometimes yes or sometimes no and it takes a bit before it allows me to ssh in it just sits at trying to connect for a long time it will either drop out after so long and you try again sometimes works next sometimes no... and sometimes it will ssh like for a minute before it prompts the login and i do
ssh admin@192.168.0.1

now in the system logs whjere would i look for errors but wouldnt the errors be gone once you reboot it.. it just starts off fresh? or does it keep logs prior to the reboot..