NAT reflection and port forwards broken in RC1
-
The WAN rule only lets the packet in, once the packet is in it still has the original source port. So with your port forwards set to have the source port the same as the destination port, normally that wouldn't work. Like others have said when a server/service sends packets out, it is not always, or never, leaving from the same port as your server/service is listening on. I will post later and show firewall logs as an example.
Could you explain a little further by what you mean when you say your ISP is relaying?
Also you said your 1.2.3 has the same settings as your RC1, are they both virtual machines or is your 1.2.3 a physical machine?
-
Both virtual….
My mailserver in the tesat setup is relayed by my ISP. I have to use their mailserver for relay...Everything is broadcasted on port25.
I dont have any issues running 1.2.3 at all. It works fine and have always done exactly that.
-
Seems to be a lot of confusion between firewall rules and Port Forward rules here.
External port must be any. Never does a server connect from his port 25 to 25….
That's clearly wrong. If that were true then you'd port forwarding packets arriving on WAN on ANY port to your internal SMTP server. ::)
The above quote is true for firewall rules though but the posted table is port forwarding.
Steve
Edit: It's correct that the source port won't be 25 but that's not relevant to port forwarding.
-
Looking at your config, your NAT port forwards say Destination: WANIP, but your WAN rules show Destination: 192.168.1.50 (ISA).
Maybe change your portfoward Destination: Any… or to ISA instead of WAN.
So your rules will allow anything with the destination ISA, but your port forward only forwards when they have the destination of WANIP, your rules aren't allowing such packets in.
I don't remember 1.2.3 giving you the option of specifying the Destination IP like 2.0 does for port forwards.
-
Surely packets arriving on WAN are going to have destination WANIP otherwise they wouldn't arrive!?
Does 'destination' in config.xml not correspond to 'IF' in the GUI table?
Edit: Scrub that. Clearly not! :-[Packets hit the port forwarder before the firewall.
Steve
-
Is that true, the packets hit the port forwarder before the rules are applied? Wouldn't that over-work the firewall for the masses of hits we get from china? Well my CPU load is never over 1% so I guess not, but good to know that is how it works.
-
Well China won't kill you because there are no NAT rules in place besides the ones you specify…
-
I just figured it still checks all requests against the port forwards to see if they match, and it would be that checking causing usage. I only have about 10 port forwards, but I figured if somebody had maybe 20 port forwards, maybe 100+ hits a minute to check against 20 rules, that would add up. But like I said I never get over 1% used so I guess not.
I just never knew that it went through port forwards first, very good to know though lol. I can adjust my WAN rule set accordingly.
-
@heavy1metal:
I just never knew that it went through port forwards first, very good to know though.
I had always assumed it was the other way around but was recently informed of my ignorance! :P
When you know this it all makes more sense. :)
Steve
-
@heavy1metal:
I just never knew that it went through port forwards first, very good to know though.
I had always assumed it was the other way around but was recently informed of my ignorance! :P
When you know this it all makes more sense. :)
Steve
Well that's two of us, but yes it does make a whole lot of sense :-)
-
Seems to be a lot of confusion between firewall rules and Port Forward rules here.
External port must be any. Never does a server connect from his port 25 to 25….
That's clearly wrong. If that were true then you'd port forwarding packets arriving on WAN on ANY port to your internal SMTP server. ::)
The above quote is true for firewall rules though but the posted table is port forwarding.
Steve
Edit: It's correct that the source port won't be 25 but that's not relevant to port forwarding.
That's what I meant. On NAT you have a source port of <1023 and a destination port of 25. The rules then which are associated with the NAT rule cannot be altered. But if some mailserver on the internet wants to connect to pfSense certainly has NOT port 25 as his source port…
@Supermule did you try the connection from a different machine than the one the port is forwarded to? Also uncheck 'Disables the automatic creation of additional NAT...' under System->Advanced->Firewall/NAT...
-
Yes….both outside and inside the FW. Nothing is forwarded and NAT reflection is the same turned off or not.
-
Yes, but also from a different local machine? Then connect via ssh and do some tcpdumps…
eg. tcpdump -nvli LAN_INTERFACE port 25 and have a look if packages are coming in on LAN and out to your server... -
I dont know if you have got this resolved yet.
I am puzzled by an earlier statement that you made 'Nothing came through to the relevant servers behind. Every internal website was going to the login page of PFSense.' This lend me to think that one of your Port forward rules points at your WANIP,
I have 3 port forwards and all work from an internal machine, but I have multiple virtual ip's for this, but if I try to get to my wanip I do also get to the login page.
I did have to set nat relfection on the port forwards to enabled instead of system default.
let me know if I can help with anything.
-
I will see how it goes with the latest snaps. Been trying to figure a way to get the ARP entries to stay in 1.2.3 when using multiple LAN interfaces.
