[SOLVED] Port forward issue on 2.0 RC or …

Tzakanel

Greetings all !

I've been lurking around this forum and tried to find my answers before posting any question. It seems that I hit a big bump or I cannot see it right.
Here's the situation: I have installed 2.0-RC1 built on Thu Mar 31 07:40:20 EDT 2011.
I tried to configure a simple port forward for an internal web server, I attached an image of it port_fw.png
Next I configured the rule in the firewall to log the interaction.
Here is the image that shows that log.png
Here's the part of the xml file on this entry:


 <nat><ipsecpassthru><enable></enable></ipsecpassthru> 
	 <advancedoutbound><rule><source>
			 <any><destination><network>wanip</network>
			<port>8989</port></destination> 
		<protocol>tcp</protocol>
		<target>192.168.230.100</target>
		<local-port>80</local-port>
		<interface>wan</interface>

		<associated-rule-id>nat_4d94ba3e3aa947.01959338</associated-rule-id></any></rule></advancedoutbound></nat>

Here's the issue, cannot get to the webserver. It seems that port forwarding does not work as expected OR I'm missing something small that makes all the difference.
I have to say that I checked the webserver logs to check if it gets any hits from pFsense and there is no entry.

Any help is greatly appreciated even if it means a slap on my forehead :)

port_fw.png_thumb

log.png_thumb

Bill48105

Hi,
Did you verify you can connect to 192.168.230.100 on port 80 on the local network? I'm pretty new to pfsense but that screenshot makes it look like the packets passed which leads me to believe the box they are being forwarded to is not getting them or not responding maybe.. Did you triple check the IP & port in the map are right? :D
Bill

Tzakanel

Hi Bill

Thank you for your insight.
Here's the image to answer your question.
I tried every approach that I think of to find out what's happening, but who knows what I missed.

ping.png_thumb

wallabybob

ping is not a very good diagnostic tool to check connections to web servers. Try # telnet <host-ip>80</host-ip> which will attempt to connect to port 80 on host-ip. On connection type X then hit the Enter key and you should see some HTML returned. For example, on my pfSense console to a local web server:

telnet mail 80

Trying 192.168.37.200…
Connected to mail.example.org.
Escape character is '^]'.
X

<title>501 Method Not Implemented</title>

Method Not Implemented

X to /index.htm not supported.

Connection closed by foreign host.

Bill48105

Yeah as wallabybob said, ping isn't the definitive test.. The ping tells you SOMETHING is responding (which is good) but doesn't tell you what is there or what services that device provides. Perhaps the IP's changed etc. Definitely try the telnet test or even just use a web browser. Just cuz pfsense isn't blocking them doesn't mean they are going where you expect them to be & that's what you need to track down. ;)
Bill

tommyboy180

I had some port forwarding issues when I upgraded. I logged the deal here: http://forum.pfsense.org/index.php/topic,34559.msg179536.html#msg179536

Tzakanel

Thank you all for your answers.

The problem still exists. The host answers to ping and to telnet from LAN. If I try to connect from WAN through NAT by telnet or by http I cannot get there. The interesting thing is that the firewall log shows that it passes the packages.

I don't know what else to try or to look.
How else can I check if NAT Port Forwarding is working fine ?

Bill48105

Tzakanel,
Make sure you can connect to the private IP internally using whatever program intended for that service (in this case a web browser I take it or telnet on the port) then work your way out of the network, preferably testing from the outside (vs looping back from inside) & go from there. Port forwards will never work if it does not work internally on the private IP. (For example, if you setup your server service to bind to 127.0.0.1 you can redirect traffic to it all day & it won't work. Same if the internal IP changed due to DHCP. Same goes if a software firewall is stopping it on the server. Ditto on if it isn't really listening on the port you are expecting. Etc Etc)
If you are sure it works inside if all else fails backup, delete the port mapping & associated firewall rule (assuming it is not linked), apply, then create it again & see if the fixes it.
Bill

Tzakanel

Thanks for support.
This comes as a slap on the forehead and here's why.

I tried to replace an old firewall with this pfsense 2.0RC because I liked it when I tested it and for the main reason that it does Fail Over and Load Balance. While replacing the old firewall which was the gateway situated at x.x.x.254 the new one is situated at x.x.x.1. Since what was getting it's IP from DHCP was working fine, my issue started with the servers that had static IP because they had the OLD GATEWAY in their settings. That's why they were replying to the pings inside the lan.
As soon as I changed to the new gateway which is the firewall mentioned in this post the port forward came back to normal.

Told y'all that it must be a glitch somewhere, this time was in my head :)
Thanks again.