Port Forwarding troubles
-
From time to time.
-
What does your LAN firewall rule look like?
-
I don't recall changing it, so it should be whatever the default is. Can you please tell me where I would find it in the settings?
Thanks!
-
You posted your WAN firewall Rule. Same place, except click the LAN tab.
-
imgur just went down, so no screenshot this time, but here you go:
ID Proto Source Port Destination Port Gateway Queue Schedule Description
* * * LAN Address 81 22 * * Anti-Lockout Rule
IPv4 * LAN net * * * * none Default allow LAN to any rule
IPv6 * LAN net * * * * none Default allow LAN IPv6 to any ruleThey all seem to be default, I don't recall making any changes here.
Thanks!
-
Ok for starters.. I don't see any wan rules that allow your forwards.
http://imgur.com/a/AYyVz
Did you uncheck create wan rule when you created your NAT? None of those nats show linked rule. And I see only 1 wan rule for 22 (ssh) So how would your 80 traffic be allowed?
Second, many isp block port 80
Third, are you sure your pfsense WAN IP is public and not private.. What is pfsense plugged into? A true modem where you get public on pfsense, or actually a gateway that does nat as well as be a modem?
-
Yep - Its not good. Time to start over with NAT rules.
(You actually have to click extra buttons and do extra work to mess up NAT this way) -
Its amazing how so many mess up something that is so easy..
Click a + button put in your port and private IP = done. This auto creates the firewall rule that you need and the nat you need.
-
Ok for starters.. I don't see any wan rules that allow your forwards.
http://imgur.com/a/AYyVz
Did you uncheck create wan rule when you created your NAT? None of those nats show linked rule. And I see only 1 wan rule for 22 (ssh) So how would your 80 traffic be allowed?
Second, many isp block port 80
Third, are you sure your pfsense WAN IP is public and not private.. What is pfsense plugged into? A true modem where you get public on pfsense, or actually a gateway that does nat as well as be a modem?
Good point. When I made the rules, I selected pass, I figured that meant pass the traffic to the internal IP. I deleted all my firewall and NAT rules, and recreated them, and I can now see that they have linked firewall rules, however my traffic still isn't working :( I know that my ISP isn't blocking port 80, because it was working with my old SOHO router. My IP is definitely a public IP, it doesn't match any of the class A, B, or C networks. Thanks for the reply :)
Yep - Its not good. Time to start over with NAT rules.
(You actually have to click extra buttons and do extra work to mess up NAT this way)Its amazing how so many mess up something that is so easy..
Click a + button put in your port and private IP = done. This auto creates the firewall rule that you need and the nat you need.Yeah right you both are. Please see my reply above, I had selected pass instead of the default, which was 'Add associated filter rule'. my mistake, guess you learn something new every day! Thanks for the replies :)
-
Well sorry everyone, I feel like a buffoon. I forgot to update the default route on the web server, so that's why my ports were not working. After recreating the NAT rules, as suggested above, and fixing the route information, it's working perfectly now.
Thanks so much kejianshi, and johnpoz for all your assistance!
-
Don't feel I helped all that much. Sounds like you figured it out yourself. ;)
But you are welcome.
-
Are you other forwards working?
If you feel your rules are correct - then first thing to do is actually verify the traffic is reaching pfsense. Its quite possible your isp just started blocking it? Verify pfsense sees the traffic, verify pfsense sends on the traffic..
So quick
It really is a no brainer – click, and done.. Post up your nat and wan rules..
attached is my nat, wan rule that nat created and quick test by doing simple sniff on wan interface and lan inteface.
edit: just noticed your other post that is working ;) Guess no need for this post then - but hey can leave it for the next guy on how to do a simple sniff and verify traffic seen at your wan and then sent out your lan.
This simple test would of pointed you to your web server right away, since you would seen the packets go out to it, but it not answering..
-
Are you other forwards working?
If you feel your rules are correct - then first thing to do is actually verify the traffic is reaching pfsense. Its quite possible your isp just started blocking it? Verify pfsense sees the traffic, verify pfsense sends on the traffic..
So quick
It really is a no brainer – click, and done.. Post up your nat and wan rules..
attached is my nat, wan rule that nat created and quick test by doing simple sniff on wan interface and lan inteface.
edit: just noticed your other post that is working ;) Guess no need for this post then - but hey can leave it for the next guy on how to do a simple sniff and verify traffic seen at your wan and then sent out your lan.
This simple test would of pointed you to your web server right away, since you would seen the packets go out to it, but it not answering..
Haha thanks again for the detailed reply. That's a cool looking site too, I was using nmap from a cell phone, but that looks a lot more convienent :)
Thanks!