NAT reflection and port forwards broken in RC1

jonnyD

+1
Port forwarding does not work in RC-1.
Is this fixed in the latest snapshot?

Supermule

I upgraded and it still doesnt work….

eri--

Can you be more explicit.
Provide information otherwise this is not the place for runting.

Supermule

I dont see anything in the logs….the packets are silently dropped and I only get the loginscreen of Pfsense no matter if I turn on reflection or not.

Tell me where to look and what I shall look for. Its basic routing that gets lost...

Running VmWare without VmTools installed. 3 Nics. WAN, LAN and OPT1

johnpoz

Port forwards are NOT broken that is for sure – I clearly accessed my ssh box from outside my network yesterday, 22 is forwarded inbound to 192.168.1.6, lan ip of pfsense is .253

I just tested nat reflection and it is working as well

C:\Windows\System32>ssh snipped.homeip.net
Could not create directory '/home/snipped/.ssh'.
The authenticity of host 'snipped.homeip.net (24.14.xx.xx)' can't be established.
RSA key fingerprint is 99:19:09:bd:50:98:74:ce:89:97:35:70:e4:8d:1b:ed.
Are you sure you want to continue connecting (yes/no)?

this is from my home windows box on .100, clearly hitting the public IP 24.14 and being reflected back into my sshd box on 192.168.1.6

If you saying something is broken, your going to have to give details of exactly what does not work, and hopefully and example showing it NOT working, etc.

currently on snap
2.0-RC1 (i386)
built on Mon Feb 28 18:12:00 EST 2011

edit:  Sounds like your on VM, what are you trying to reflect or forward to?  Another VM on the same host?  I had all kinds of issues with both 1.2.3, and the 2.0 betas with port forwarding to other vms on the same host -- could never get it to work.. I have thread about it in the vm section, never got a response with a solution - I dropped the whole thing of running it on vm for this reason.

Supermule

1.2.3 works no issues at all. It has nothing to do with anything that is VM related.

2.0RC1 does not work for me. If I replace it with 1.2.3, it runs no issues. Same config, same rules. I dont get any logs of anything related to this on RC1. It doesnt get blocked, it passes, but dissapears.

eri--

Probably firewall rule issue?

Supermule

Nope….the block all rule comes in the bottom.....the same rule setup apllies with no issues in 1.2.3

johnpoz

and again you have given NO details of what is not working..

Both forwards and nat reflection work as they should on my install. So clearly its not broken in the general code, but something specific to your setup/snap?  But without specific details, how can anyone help you find the problem?

I have been using multiple forwards since I started playing with the 2.0 betas, and use them almost every day - and have never seen an issue with any of the snaps I have played with.

Unless other people come forward and say theirs are not working as well, and give some details I really don't see how anyone can either find the bug in the code or help you with your specific problem?

You say its working in 1.2.3, are you doing a clean install of 2.0 or trying to upgrade and install your rules/settings into the 2.0 instance?

jlepthien

Again? Come on guys…
Everytime someone said that NAT reflection was not working with the beta it actually did...
Right now I tested port forwarding to an internal web server which works. Also NAT reflection from WLAN->LAN with my external web servers hostname works flawlessly...

I don't now what you guys are doing wrong all the time...

I am using 2.0-RC1 (i386) built on Mon Feb 28 14:28:32 EST 2011 btw...

Supermule

I dont see anything in the logs….I am actually asking kindly about help to find info that is related to the matter.

How the hell should I be able to answer what is wrong, when it doesnt tell me anything?

It is a fresh install from scratch on 2.0 RC1 and the 1.2.3 machine is both running in the same VM environment. FreeBSD 32bit.

So unless you can tell me where to find logs that tells me what is wrong, then I suggest you take it easy.

Try to help instead of patronizing me...

jlepthien

You could start by telling us EXACTLY what you did to set it up. 'doesn't work' is not really a helpful problem description. Give us every step you did and we can help you telling where you did wrong…

Supermule

I setup the box….add'ed the interfaces...WAN, LAN and OPT1. Gave them the relevant IP address ranges, did the rules and port forwards and put it online. Nothing came through to the relevant servers behind. Every internal website was going to the login page of PFSense. I couldnt access the sites from outside either. Despite the block-all rule coming last in the rule list. Everything was setup just like 1.2.3 and nothing worked. Gateway was given and I could access external sites just fine. It didnt change anything if I enabled or disabled the NAT reflection. Rebooted 3 times to see if it would change things...it did not. Upgrade to newer snapshots didnt work either.

GruensFroeschli

To what is your external IP set in the port forward?
("any" would be wrong)

Supermule

Interface address….. :)

jlepthien

Please post your configuration and mask all confidential information in there. Then we can have a look at it…

Supermule

Will set it up again this evening with the latest snap…. Deleted it in VMWare out of sheer anger :D

jlepthien

Also do some tests from outside afterwards. eg 'telnet hostname port' to see if you get a connection. For NAT reflection to work you also need to disable the check on System->Advanced->Firewall/NAT for the reflection…

If it doesn't work post your configuration or at least screenshots. If you say I set up the rules, how are we supposed to know you did everything right? Did you just add the firewall rule or also the NAT rule? More details please. Source, destination and so on. But again, just post your configuration would be easier. I am still on the first RC snap and it is working with it.

Supermule

Will do!

Supermule

This is my config…

Just a test setup, but still doesnt work.

<pfsense><version>7.6</version>
<lastchange><theme>pfsense_ng</theme>
<sysctl><tunable>debug.pfftpproxy</tunable>
<value>default</value>
<tunable>vfs.read_max</tunable>
<value>default</value>
<tunable>net.inet.ip.portrange.first</tunable>
<value>default</value>
<tunable>net.inet.tcp.blackhole</tunable>
<value>default</value>
<tunable>net.inet.udp.blackhole</tunable>
<value>default</value>
<tunable>net.inet.ip.random_id</tunable>
<value>default</value>
<tunable>net.inet.tcp.drop_synfin</tunable>
<value>default</value>
<tunable>net.inet.ip.redirect</tunable>
<value>default</value>
<tunable>net.inet6.ip6.redirect</tunable>
<value>default</value>
<tunable>net.inet.tcp.syncookies</tunable>
<value>default</value>
<tunable>net.inet.tcp.recvspace</tunable>
<value>default</value>
<tunable>net.inet.tcp.sendspace</tunable>
<value>default</value>
<tunable>net.inet.ip.fastforwarding</tunable>
<value>default</value>
<tunable>net.inet.tcp.delayed_ack</tunable>
<value>default</value>
<tunable>net.inet.udp.maxdgram</tunable>
<value>default</value>
<tunable>net.link.bridge.pfil_onlyip</tunable>
<value>default</value>
<tunable>net.link.bridge.pfil_member</tunable>
<value>default</value>
<tunable>net.link.bridge.pfil_bridge</tunable>
<value>default</value>
<tunable>net.link.tap.user_open</tunable>
<value>default</value>
<tunable>kern.rndtest.verbose</tunable>
<value>default</value>
<tunable>kern.randompid</tunable>
<value>default</value>
<tunable>net.inet.ip.intr_queue_maxlen</tunable>
<value>default</value>
<tunable>hw.syscons.kbd_reboot</tunable>
<value>default</value>
<tunable>net.inet.tcp.inflight.enable</tunable>
<value>default</value>
<tunable>net.inet.tcp.log_debug</tunable>
<value>default</value>
<tunable>net.inet.icmp.icmplim</tunable>
<value>default</value>
<tunable>net.inet.tcp.tso</tunable>
<value>default</value>
<tunable>kern.ipc.maxsockbuf</tunable>
<value>default</value></sysctl>
<system><optimization>normal</optimization>
<hostname>pfsense</hostname>
<domain>localdomain</domain>
<group><name>all</name>

<scope>system</scope>
<gid>1998</gid>
<member>0</member></group>
<group><name>admins</name>

<scope>system</scope>
<gid>1999</gid>
<member>0</member>
<priv>page-all</priv></group>
<user><name>admin</name>

<scope>system</scope>
<groupname>admins</groupname>
<password>xxxx</password>
<uid>0</uid>
<priv>user-shell-access</priv></user>
<nextuid>2000</nextuid>
<nextgid>2000</nextgid>
<timezone>Europe/Copenhagen</timezone>
<time-update-interval><timeservers>dk.pool.ntp.org</timeservers>
<webgui><protocol>http</protocol>
<ssl-certref>xxx</ssl-certref></webgui>
<maximumstates><maximumtableentries><enablebinatreflection>yes</enablebinatreflection>
<reflectiontimeout><dnsserver>8.8.8.8</dnsserver>
<dnsserver>208.67.222.222</dnsserver>
<dnsserver>195.67.199.39</dnsserver>
<dnsserver>195.67.199.40</dnsserver>
<dnsallowoverride><firmware><allowinvalidsig></allowinvalidsig></firmware>
<gitsync><branch></branch></gitsync></dnsallowoverride></reflectiontimeout></maximumtableentries></maximumstates></time-update-interval></system>
<interfaces><wan><enable><if>em0</if>
<blockpriv><blockbogons><media><mediaopt><spoofmac><ipaddr>xxx.xxx.201.114</ipaddr>
<subnet>28</subnet>
<gateway>Telia</gateway></spoofmac></mediaopt></media></blockbogons></blockpriv></enable></wan>
<lan><enable><if>em1</if>
<ipaddr>192.168.1.1</ipaddr>
<subnet>16</subnet>
<media><mediaopt></mediaopt></media></enable></lan>
<opt1><if>em2</if>

<enable><spoofmac><ipaddr>192.168.10.1</ipaddr>
<subnet>24</subnet></spoofmac></enable></opt1></interfaces>
<staticroutes><dhcpd><lan><range><from>192.168.1.100</from>
<to>192.168.1.199</to></range></lan></dhcpd>
<pptpd><mode><redir><localip></localip></redir></mode></pptpd>
<dnsmasq><enable><domainoverrides><domain>netxxxxxx.dk</domain>
<ip>192.168.1.1</ip></domainoverrides></enable></dnsmasq>
<snmpd><syslocation><syscontact><rocommunity>public</rocommunity></syscontact></syslocation></snmpd>
<diag><ipv6nat></ipv6nat></diag>
<bridge><syslog><nat><ipsecpassthru><enable></enable></ipsecpassthru>
<rule><source>
<any><port>25</port>

<destination><network>wanip</network>
<port>25</port></destination>
<protocol>tcp</protocol>
<target>ISA</target>
<local-port>25</local-port>
<interface>wan</interface>
<descr><associated-rule-id>nat_4d6f7924b70f14.73209842</associated-rule-id></descr></any></rule>
<rule><source>
<any><port>80</port>

<destination><network>wanip</network>
<port>80</port></destination>
<protocol>tcp</protocol>
<target>ISA</target>
<local-port>80</local-port>
<interface>wan</interface>
<descr><associated-rule-id>nat_4d6f795e7b5fa4.72362536</associated-rule-id></descr></any></rule></nat>
<filter><rule><source>
<any><port>25</port>

<interface>wan</interface>
<protocol>tcp</protocol>
<destination><address>ISA</address>

<port>25</port></destination>

<associated-rule-id>nat_4d6f7924b70f14.73209842</associated-rule-id></any></rule>
<rule><source>
<any><port>80</port>

<interface>wan</interface>
<protocol>tcp</protocol>
<destination><address>ISA</address>

<port>80</port></destination>

<associated-rule-id>nat_4d6f795e7b5fa4.72362536</associated-rule-id></any></rule>
<rule><id><type>block</type>
<interface>wan</interface>
<tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp/udp</protocol>
<source>
<any><destination><any></any></destination></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule>
<rule><type>pass</type>

<interface>lan</interface>
<source>
<network>lan</network>

<destination><any></any></destination></rule></filter>
<shaper><ipsec><preferoldsa></preferoldsa></ipsec>
<aliases><alias><name>ISA</name>

<address>192.168.1.50</address>

<descr><type>host</type>
<detail></detail></descr></alias></aliases>
<proxyarp><cron><minute>0</minute>
<hour></hour>
<mday></mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 newsyslog
<minute>1,31</minute>
<hour>0-5</hour>
<mday></mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 adjkerntz -a
<minute>1</minute>
<hour>3</hour>
<mday>1</mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 /etc/rc.update_bogons.sh
<minute>/60</minute>
<hour></hour>
<mday></mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout
<minute>1</minute>
<hour>1</hour>
<mday></mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 /etc/rc.dyndns.update
<minute>/60</minute>
<hour></hour>
<mday></mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot
<minute>30</minute>
<hour>12</hour>
<mday></mday>
<month></month>
<wday>*</wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 /etc/rc.update_urltables</cron>
<wol><rrd><enable></enable></rrd>
<load_balancer><monitor_type><name>ICMP</name>
<type>icmp</type></monitor_type>
<monitor_type><name>TCP</name>
<type>tcp</type></monitor_type>
<monitor_type><name>HTTP</name>
<type>http</type>

<options><path>/</path>
<host>200</host></options></monitor_type>
<monitor_type><name>HTTPS</name>
<type>https</type>

<options><path>/</path>
<host>200</host></options></monitor_type>
<monitor_type><name>SMTP</name>
<type>send</type>

<options><send>EHLO nosuchhost</send>
<expect>250-</expect></options></monitor_type></load_balancer>
<widgets><sequence>system_information-container:col1:show,captive_portal_status-container:col1:close,carp_status-container:col1:close,cpu_graphs-container:col1:close,gateways-container:col1:close,gmirror_status-container:col1:close,installed_packages-container:col1:close,interface_statistics-container:col1:close,interfaces-container:col2:show,ipsec-container:col2:close,load_balancer_status-container:col2:close,log-container:col2:close,picture-container:col2:close,rss-container:col2:close,services_status-container:col2:close,traffic_graphs-container:col2:close</sequence></widgets>
<revision><time>1299152187</time>

<username>admin</username></revision>
<openvpn><l7shaper><container></container></l7shaper>
<dnshaper><cert><refid>4d6f3f19cede8</refid>

<crt>xxx</crt>
<prv>xxx</prv></cert>
<ppps><gateways><gateway_item><interface>wan</interface>
<gateway>xx.xxx.201.113</gateway>
<name>Telia</name>
<weight>1</weight>
<descr><defaultgw></defaultgw></descr></gateway_item></gateways></ppps></dnshaper></openvpn></wol></proxyarp></shaper></syslog></bridge></staticroutes></lastchange></pfsense>