Command line to gui, pf rules
-
What I am trying to achieve is whatver arrives to the port 80 and 443 of WAN interface lands at 10.10.10.22 webserver, 25, 110 to mailserver at 10.10.10.33, all rtp udp packets to the voipserver at 10.10.10.44 and finally any 2222 call to the ssh of 10.10.10.22.
How can this be achieved in gui?
It is called Port Forward in the GUI: Firewall -> NAT, click on Port Forward tab.
I suggest you start with one port (say 80), try setting up a suitable rule, test to verify it works, then build up additional port forward rules.
You will have to test this through connects arriving on the pfSense WAN interface. You can't test this by accesses from systems on your pfSense LAN interface.
-
What I am trying to achieve is whatver arrives to the port 80 and 443 of WAN interface lands at 10.10.10.22 webserver, 25, 110 to mailserver at 10.10.10.33, all rtp udp packets to the voipserver at 10.10.10.44 and finally any 2222 call to the ssh of 10.10.10.22.
How can this be achieved in gui?
It is called Port Forward in the GUI: Firewall -> NAT, click on Port Forward tab.
I suggest you start with one port (say 80), try setting up a suitable rule, test to verify it works, then build up additional port forward rules.
You will have to test this through connects arriving on the pfSense WAN interface. You can't test this by accesses from systems on your pfSense LAN interface.
Thanks again for your helpful tip.
Does using 'Firewall>>NAT>>Port Forward' support Birectional NAT* ('binat-to' in crude pf) and Transparent Interception ('divert-to' in crude pf)?
-
Binat is supported and called 1:1 in the GUI.
divert-to also supported depending on what you want to achieve.
-
@wallabybob, @ermal and @arad85: Thanks for your useful replies! :-D
-
Hi:
I tried to port forward as I read online and in the pfSense books, but the destination NAT is not working. Please find the screenshot of the NAT I created to help figure out where did I do. Much appreciated for inputs.
 -
Your problem is you are specifying the source port.
You never know the source port and only the destination so leave the source port any. -
Thanks, but I changed the source ports to 'any', still no luck.
On this page (http://doc.pfsense.org/index.php/Port_Forward_Troubleshooting) under the "Common Problems", all are understanable and alright except No. 3 which states "3. Client machine is not using pfSense as its default gateway."
I used DMZ interface as gateway (DMZ IP in my pfSense box is 192.168.7.254) in the client machine that is running a webserver. With that configuration with shorewall it works, but do I need to point it to the default gateway of pfSense box or anything else?
-
Thanks, but I changed the source ports to 'any', still no luck.
It is sometimes necessary to reset firewall states after rule changes. See Diagnostics -> States, click on Reset States tab read and click on Reset button.
How are you testing? Sometimes people test port forwards from the LAN side of pfSense forgetting that the port forward applies to connects entering the box on the WAN interface.
-
I have been trying from outside of the network using external proxies.
I shall try with resetting the states and then let know.
-
Thanks, but I changed the source ports to 'any', still no luck.
It is sometimes necessary to reset firewall states after rule changes. See Diagnostics -> States, click on Reset States tab read and click on Reset button.
Thanks wallabybob for your help which made it finally. It is worth mentioning in the documentation to avoid confusion to the already confused ones like me (who came from simple command lines, where a simple reload of conf is enough). ;-)
A lesson learnt today!
-
Is there a special way to configure pfSense LAN and DMZ to work with hub and crossover cable?
Scenario to this question:
I am testing with crossover cable. Once DMZ and LAN works with a single machines attached to them, try to move pfSense box to production where DMZ and LAN are connected to hubs which are configured accordingly.
When I connect crossover cables to the DMZ and LAN zones, the internet connection is fine. Once any configured hub as per the LAN or DMZ subnet is connected, they could not reach the internet, nor port forward to DMZ machines work.
Is there a special way to make it work in pfSense GUI? Thanks!
-
That is a hardware thing. Newer hardware usually auto-detects the cable and sorts out swapping Tx/Rx pairs if needed - when you have a straight cable between 2 end-user systems. But on older hardware you have to use a crossover cable for a direct connect.
Switches are wired the opposite way to end-user systems - so a direct cable works, Tx on the switch is Rx on the end-user system and vice-versa.
General rules:- straight cable from end-user system to a switch
- crossover cable between end-user systems (or between switches)
- with modern hardware it often works anyway, whatever you do
-
@Phil: Thanks.
But I have all modern hardware. So it should work in principle. But not in reality, that is why I was wondering whether I need to further configure something.
pfSenseWAN portforwarded to DMZ >>connected with crossover cable >>webserver, WORKS.
pfSenseWAN portforwarded to DMZ >> connected to >> hub with direct cable >> webserver, Does not work.
Same with LAN (just replace DMZ with LAN, but not port forwarded, but DMZ is not allowed to LAN using firewall rules.
Where did I go wrong?
-
If they are just dumb hubs or switches, then they should work with straight cables from pfSense to switch and web server to switch. It has to be a dodgy cable, switch port or…
If it is a managed switch, with the possibility of making VLANs, turning ports on and off, limiting devices by MAC address... then that's another ball game, and you would have to make sure you know what is configured on the switch, or set it back to factory default "connect everything to everything mode".
Not sure I can be much more help remotely, as it does sound like a switch/connection/cable fault-finding exercise. -
To put it precisely, I am just trying to switch from shorewall+other command line UTM utitlies to pfSense for the ease of other members to configure the network.
The network is working without any problem with shorewall. Right now I am just swapping the cables from shorewall box to pfSense box to test. I do not think it is associated with any hardware or configs that is lying behind the pfSense box. It is something that I may be confused with the GUI.
Anyway, thanks Phil for taking your invaulable time to comment.
-
pfSenseWAN portforwarded to DMZ >> connected to >> hub with direct cable >> webserver, Does not work.
Do you mean HUB or SWITCH? A hub is not the same as a switch and I suspect that some combinations of FreeBSD NIC drivers and interfaces MIGHT have trouble negotiating data rates with HUBS.
Please post the output of pfSense shell commands with DMZ connected to hub with direct cable:```
/etc/rc.banner
ifconfig
netstat -i -b -dso we can see what types of interfaces you have and what has been negotiated. -
Tell us about the DMZ system(s). What state are their interfaces? Do they configure by DHCP?
I have seen cases where systems that get their configuration by DHCP go "offline" if disconnected for "too long": the DHCP client gives up permanently after a certain number of tries that don't solicit a response.