Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port forwarding in 2.8

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 2 Posters 153 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      Piter 0
      last edited by

      Hi, After updating PF SENSE to version 2.8, my port forwarding stopped working. In the firewall logs, I see:

      Action: block
      Reason: match
      Tracker ID: 1000005670
      Matched Rule:
      @48 block drop in log on ! igc1.300 inet from 192.168.2.0/24 to any ridentifier 1000005670
      Associated Rules:
      @49 block drop in log inet from 192.168.2.1 to any ridentifier 1000005670
      @50 block drop in log on igc1.300 inet6 from fe80::2aac:9eff:fe0d:96f6 to any ridentifier 1000005670

      What kind of rule is this? I've added an exception, but the forwarding still doesn't work. Has something changed in version 2.8?

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @Piter 0
        last edited by Gertjan

        @Piter-0 said in Port forwarding in 2.8:

        What kind of rule is this?

        Dono.
        You didn't show your NAT rules yet.
        Show also your WAN rules please.

        Who is "192.168.2.0/24" - what network ? Your WAN ?
        Who is 192.168.2.1 ?

        Btw : NAT under 2.7.0, 27.1 2.7.2 or 2.8.0, nothing changed.
        After all, if this was the case, a big reminder would have been printed here : Netgate Releases pfSense® Community Edition Version 2.8.0 - or in the release notes.

        What probably happened : you have an upstream (ISP ?) router, and your RFC1918 WAN IP changed ...
        So the upstream NAT rule isn't valid anymore. The pfSense NAT rule doesn't need to be changed.

        edit : several ways to check if NAT rules 'work'.
        That is : check with pfSense if traffic arrives at 'the WAN gates'.

        Look here :

        39dc39ec-9c01-4b2f-a0b8-951a929a292b-image.png

        You see the green counters ?
        They change (go up) when traffic matches the rule = that was the traffic that will get NAtted to your internal LAN network, to some NAT IP.

        If the counters don't increment : the traffic never reached pfSense.

        Another method :
        You didn't tell, but let's presume you NATted port '443' because you have a web server on your LAN, using some (don't care) LAN IP.
        Use the pfSense packet sniffer :

        0139f708-d4fb-46a3-a2d5-bfd18ce51470-image.png

        I've selected also TCP as web traffic is (normally) TCP.
        Hit start.
        Now try to use your NAT rule.
        As soon as packets reach pfSense, and get in, you'll see the packets listed.

        If nothing gets listed : the traffic never reached pfSense.

        Another method : Try the official "NAT checklist" :
        Troubleshooting NAT Port Forwards as this one will always solve your issue.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        P 1 Reply Last reply Reply Quote 0
        • P
          Piter 0 @Gertjan
          last edited by

          @Gertjan
          Thank you for your reply. It turns out the cause was simple. The DHCP server wasn't assigning a gateway address, or the NAS server (the one on the forwarded port) wasn't receiving it. I entered the gateway manually, and it worked.

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @Piter 0
            last edited by

            @Piter-0 said in Port forwarding in 2.8:

            The DHCP server wasn't assigning a gateway address

            The DHCP server should communicate 3 things :
            An IP ... the gateway and a DNS.
            If you don't enter a gateway, it default to the IP on which the DHCP server is running :

            a9e55139-6fdd-49cd-b3f9-796ddb1af16c-image.png

            that's the pfSense LAN IP.

            Not assigning a gateway ?

            Let's check (packet capturing again using "LAN", "UDP" and ports "67 68" :
            Where I set temporary my NAS (syno disktation) to a static IP (192.168.1.33) and the back again to DHCP :
            I found a request :

            07:44:21.118437 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
    0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from 00:11:32:a7:d5:88, length 300, xid 0x5e3f9078, Flags [none] (0x0000)
	  Client-Ethernet-Address 00:11:32:a7:d5:88
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message (53), length 1: Request
	    Requested-IP (50), length 4: 192.168.1.33
	    Hostname (12), length 13: "DiskStation2^@"
	    Parameter-Request (55), length 7: 
	      Subnet-Mask (1), BR (28), Time-Zone (2), Default-Gateway (3)
	      Domain-Name (15), Domain-Name-Server (6), Hostname (12)
	    Client-ID (61), length 7: ether 00:11:32:a7:d5:88

            and the answer from the DHCP server :

            
07:44:21.124695 IP (tos 0x10, ttl 128, id 0, offset 0, flags [DF], proto UDP (17), length 338)
    192.168.1.1.67 > 192.168.1.33.68: [udp sum ok] BOOTP/DHCP, Reply, length 310, xid 0x5e3f9078, Flags [none] (0x0000)
	  Your-IP 192.168.1.33
	  Client-Ethernet-Address 00:11:32:a7:d5:88
	  Vendor-rfc1048 Extensions
	    Magic Cookie 0x63825363
	    DHCP-Message (53), length 1: ACK
	    Subnet-Mask (1), length 4: 255.255.255.0
	    Default-Gateway (3), length 4: 192.168.1.1
	    Domain-Name-Server (6), length 4: 192.168.1.1
	    Hostname (12), length 12: "diskstation2"
	    Domain-Name (15), length 20: "bhf.tld"
	    Lease-Time (51), length 4: 21600
	    Server-ID (54), length 4: 192.168.1.1

            as you can see, a gateway is present.

            That's not a simple reason.
            The original question was : "Port forwarding in 2.8 (doesn't work ?)" is I presume you were forwarding to your NAS. If the NAS doesn't have a gateway anymore, hou would have the impression the NAT rule wasn't working anymore. It was, but the NAS couldn't send any info back.
            The real question is : why did the NAS discard the gateway info it got from the DHCP lease ?
            Anyway, solved, a good thing.
            Keep an eye on your NAS ;)

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            P 1 Reply Last reply Reply Quote 0
            • P
              Piter 0 @Gertjan
              last edited by

              @Gertjan

              I don't have the energy to verify why it's rejecting the gateway. Perhaps something has updated in the NAS (OMV) in the meantime. The important thing is that it works, thx :)

              1 Reply Last reply Reply Quote 1
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.