Cant achieve simple port forward

cylent

i am not lying when i say i already did as the screen shot shows.

its simply not working.

stephenw10

I believe you!  ;)
I assume you also have the required firewall rule in place?

Check the firewall logs for entries after you try to connect. I am not familiar with winbox but it does talk about using a special protocol to find the router (MNDP). Try changing the protocol in the port forward to 'any' and check that this has propagated to the firewall rule.

Steve

chpalmer

On your firewall rule, click "Log packets that are handled by this rule"

Look at the firewall log and see if its getting passed.

cylent

@chpalmer:

On your firewall rule, click "Log packets that are handled by this rule"

Look at the firewall log and see if its getting passed.

under Firewall: NAT: Port Forward: Edit – there is no log option ...

however under firewall -- rules there is ... but we want to do the above and not this one.

chpalmer

If you have a port forwarded you must have an associated firewall rule for it to work.

We're assuming that your trying to access this port from the WAN side of your pfSense router…  Correct?

EddieA

@cylent:

however under firewall – rules there is ... but we want to do the above and not this one.

No, this is the rule associated with the NAT, that lets the traffic through the firewall.

Cheers.

cylent

ok lets start again.

firewall – rules.

added a new rule under WAN interface.

then added a rule under nat - port forward ... see attached.

still not working.

sgtr

Hi,

What about the connection (dsl / cable etc.) The specific rule is forwarded to pfSense box? You done rules right but if you don't use modem bridge mode it might be your problem. Let us know about it.

Regards,
SGTR

wallabybob

@cylent:

still not working.

Please provide more information:
How are you testing it - (for example, how do you ensure the access attempt arrives on the pfSense WAN interface)? What is reported in your test? Do you see your access attempt reported in the firewall log?

Does the target application need to be configured to allow the access you are attempting?

Have you done a packet capture on pfSense WAN interface to verify the access attempt is reaching the firewall? Have you done a packet capture on the pfSense interface to which the target device is connected to verify the access attempt is being port forwarded?

You have configured a port forward for TCP. Do you know the application uses TCP and not UDP? (You were asked this earlier and I didn't see an answer.)

I have a couple of port forwards setup on my pfSense WAN interface to a server on an OPTx interface and I didn't have to do any more than setup the appropriate fort forward rules.

cylent

coming back to this again because last time i literally gave up.

i have a router connected to the LAN port of my pfsense box.

my lan ip on my pfsense is: 10.111.63.41/24

my router is 10.111.63.42/24  accessed via port tcp 8291

so i've created the following rule. (see attached image)

and i've made sure the option "Filter rule association" to simplify things…

and it isnt working. i dont know why and and how to see the firewall logs to see whats plugged and not.

please help!

cylent

Nat reflection : enable

fixed it.

whatever it means!

stephenw10

Hmm, NAT reflection will 'reflect'  outgoing connections that are destined for incoming port forwards.

E.g. You are running a web server behind pfSense and have setup port forwarding so that users on the internet can access it. You have a domain setup and dns records that point to your pfSense WAN interface so that your web server can be accessed via a url, www.someurl.com. This works as expected.
However from within your network you cannot access the web server at www.someurl.com, problem. This is because from inside your network the url resolves to your pfSense WAN interface, an outgoing connection.
This results in either nothing or in the pfSense web interface appearing, sometimes with a security warning, instead of the expected web server.
NAT reflection resolves this by correctly routing the connection back to your internal web server.

The only way this should have made any difference in your case is if your were testing the connection from inside your network.

Reading back through the thread we should have established that in the first post where as in fact it wasn't until Wallabybob asked:

How are you testing it - (for example, how do you ensure the access attempt arrives on the pfSense WAN interface)?

By that time you had lost the will to carry on! Sorry.  :-[

Steve

cylent

so in other words, nat reflection is bad?

its seems to be the only working way.

stephenw10

No NAT reflection is the correct way to do this if you are using a URL to access an internal server.
The Winbox software appears to use it's own dynamic DNS lookup somehow so this would probably apply.
http://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F

Steve

Edit: I can't find where I read that about WinBox and DNS now.