Firewall blocks port that is allowed in the rules list
-
The rule looks OK.
Can you take a screen dump of the log line with the blocked traffic in (not the popup when you click the red X)
-
Did you port forward 3389 to your internal IP by NATting as well?
Something like:
WAN | TCP | ext.port (12345) | 10.10.0.10 | 3389 (MS RDP) | RDP -> MS-machineThis way you have to connect to your external IP on port 12345 to reach your 10.10.0.10:3389
-
Yes, please show us the firewall block log and your nat-rule as well.
-
Hi All.
Sorry for the delay. I did a new install of PfSense 1.2 and recreated all my rules, and now it works.
My guess is that somehow the firewall rule was not loaded, since it was blocked by the default rule.
Thanks for your quick responses.
Best regards
Klaus -
My suspicion is that you had "any" in your nat rule instead of "interface IP". This is a common error that some people make when setting up NAT the first time. I guess you just did it right the second time but I guess we'll never know now. Glad you got it working though :-)
-
Hi.
Sorry about that - I was just too eager to fix it :-\
Just for the record I tried to change the NAT-rule on the new installation to 'any' and reset states. I could still connect from the outside. But then again its not the original rule, and there is a great probability that I might have messed something up ;)
-
Hi
I have really a similar issue.
I try to forward my SIP traffic from Port 5060 to my internal Asterisk Server but pfsens block all my sip traffic
The rule that triggered the action is:
@702 block drop in log quick all label "Default block all just to be sure"I also upgrade to Pfsense 1.2 but i don't help, I don't create all my config new I do a restore.
thanx for your help
Mike
-
You have to show us the nat rule and the firewallrule or we can't help you.
-
What is the best way? A Printscreen or the config files?
thx mike
-
here are the xml part form the NAT Section
- <nat><ipsecpassthru>- <rule><protocol>tcp</protocol>
<external-port>22</external-port>
<target>192.168.1.16</target>
<local-port>22</local-port>
<interface>wan</interface>
<descr>SSH Server Enif</descr></rule> - <rule><protocol>tcp</protocol>
<external-port>80</external-port>
<target>192.168.20.14</target>
<local-port>80</local-port>
<interface>wan</interface>
<descr>Web Server Scutum</descr></rule> - <rule><protocol>udp</protocol>
<external-port>5060-5062</external-port>
<target>192.168.1.15</target>
<local-port>5060</local-port>
<interface>wan</interface>
<descr>SIP</descr></rule> - <rule><protocol>udp</protocol>
<external-port>10000-10200</external-port>
<target>192.168.1.15</target>
<local-port>10000</local-port>
<interface>wan</interface>
<descr>RTP</descr></rule> - <advancedoutbound>- <rule>- <source>
<network>192.168.1.0/24</network>
<sourceport><descr>LAN –> WAN</descr>
<target><interface>wan</interface>- <destination><any></any></destination>
<natport></natport></target></sourceport></rule> - <rule>- <source>
<network>192.168.30.0/24</network>
<sourceport><descr>WLAN --> WAN</descr>
<target><interface>wan</interface>- <destination><any></any></destination>
<natport></natport></target></sourceport></rule> - <rule>- <source>
<network>192.168.20.0/24</network>
<sourceport><descr>DMZ --> WAN</descr>
<target><interface>wan</interface>- <destination><any></any></destination>
<natport></natport></target></sourceport></rule>
<enable></enable></advancedoutbound></ipsecpassthru></nat>
and rules:
- <filter>- <rule><type>pass</type>
<interface>wan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><max-src-conn-rate>1</max-src-conn-rate>
<max-src-conn-rates>10</max-src-conn-rates>
<protocol>tcp</protocol> - <source>
<any>- <destination><address>192.168.1.16</address>
<port>22</port></destination>
<log><descr>NAT SSH Server Enif</descr></log></any></os></statetimeout></max-src-states></max-src-nodes></rule>- <rule><type>pass</type>
<interface>wan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol> - <source>
<any>- <destination><any><port>443</port></any></destination>
<log><descr>OpenVPN Server ( spez. inport https )</descr></log></any></os></statetimeout></max-src-states></max-src-nodes></rule> - <rule><type>pass</type>
<interface>wan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol> - <source>
<any>- <destination><address>192.168.20.14</address>
<port>80</port></destination>
<descr>NAT Web Server Scutum</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>-
<**rule>
<type>pass</type>
<interface>wan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>udp</protocol> -
<source>
<network>wanip</network> -
<destination><address>192.168.1.15</address>
<port>5060-5062</port></destination>
<log><descr>NAT SIP</descr></log></os></statetimeout></max-src-states></max-src-nodes>**-
<rule><type>pass</type>
<interface>wan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol> -
<source>
<network>wanip</network> -
<destination><network>opt2</network></destination></os></statetimeout></max-src-states></max-src-nodes></rule>
-
**<rule><type>pass</type>
<interface>wan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>udp</protocol> -
<source>
<any>- <destination><address>192.168.1.15</address>
<port>10000-10200</port></destination>
<log><descr>NAT RTP</descr></log></any></os></statetimeout></max-src-states></max-src-nodes></rule>**-
<rule><type>pass</type>
<interface>opt2</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os>- <source>
<network>opt2</network> -
<destination><network>lan</network></destination></os></statetimeout></max-src-states></max-src-nodes></rule>
-
<rule><type>pass</type>
<interface>opt1</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os>- <source>
<network>opt1</network> -
<destination><network>wanip</network></destination></os></statetimeout></max-src-states></max-src-nodes></rule>
-
<rule><type>pass</type>
<interface>opt1</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp/udp</protocol> -
<source>
<network>opt1</network>
<port>22</port> -
<destination><network>lan</network>
<port>22</port></destination></os></statetimeout></max-src-states></max-src-nodes></rule> -
<rule><type>pass</type>
<descr>Default LAN -> any</descr>
<interface>lan</interface> -
<source>
<network>lan</network> -
<destination><any></any></destination></rule>
-
<rule><interface>enc0</interface>
<type>pass</type> -
<source>
<any>- <destination><any></any></destination>
<descr>Permit IPSEC traffic.</descr>
<statetype>keep state</statetype></any></rule></filter>
thx mike
- <nat><ipsecpassthru>- <rule><protocol>tcp</protocol>
-
You should forward and allow tcp for the 506x ports too. The higher ports should be udp only but depending on the implementation it might need tcp there too ( http://en.wikipedia.org/wiki/Session_Initiation_Protocol ).
-
Ok
I change this, but for me total unclear is why pfsense block my traffic that I want to pass?
thx mike
-
Show us the exact line of the block that you thin that should be a pass. Your firewallrules are somehow wrong. There is no other reason why it should block traffic besides of that.
-
hi
that's the Bold on's in the previous post, here only this on:
NAT:
<rule><protocol>udp</protocol>
<external-port>5060-5062</external-port>
<target>192.168.1.15</target>
<local-port>5060</local-port>
<interface>wan</interface>
<descr>SIP</descr></rule>Rules:
<rule><type>pass</type>
<interface>wan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>udp</protocol>-
<source>
<network>wanip</network> -
<destination><address>192.168.1.15</address>
<port>5060-5062</port></destination>
<log><descr>NAT SIP</descr></log></os></statetimeout></max-src-states></max-src-nodes></rule>thx mike
-
-
I was able to read the bold text the first time already ;)
I wanted to see the exact line of the block from status>systemlogs, firewall.
-
sorry
here the line:
"Mar 17 20:35:36 WAN 62.65.128.62:5060 192.168.1.15:5060 UDP"
mike
-
On the portforward, do you happen to have external adress set to "any" instead of the interface IP?
-
I try it, but nothing changed:
WAN TCP/UDP 5060 - 5069 192.168.1.15 (ext.: any) 5060 - 5069 SIP
Mar 17 21:34:34 WAN 62.65.128.62:5060 192.168.1.15:5060 UDP
mike
-
external interface has to be the interface IP. "any" is for rather special needs and should not be used usually. I'm out of clues ::)