Port forwarding problem - doesn't forward
-
Hello there,
I'm having a strange issue where port forwarding just doesn't work.
I've gone over my config a dozen times, but I just can't see where the
culprit is.Setup is as follows:
VMware host with two NIC's (both E1000), bonded to each their own
physical NIC on the server.
WAN: xxx.xxx.xxx.187/29 - gateway: xxx.xxx.xxx.185
LAN: xx.yy.48.250/16I've added an allow ICMP on WAN, and I've verified the following:
- PING from the outside works
- pfSense can ping external hosts on WAN, as well as hosts on LAN
Here is a packet capture with medium detail, trying to establish a
connection on port 80 with an active port forward configured on the
pfSense.11:49:38.315771 IP (tos 0x0, ttl 121, id 20052, offset 0, flags [none], proto TCP (6), length 52) xx.xxx.157.15.62546 > yyy.yyy.yyy.187.80: Flags [s], cksum 0x3ab8 (correct), seq 800729292, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 11:49:38.315826 IP (tos 0x0, ttl 121, id 20053, offset 0, flags [none], proto TCP (6), length 52) xx.xxx.157.15.59845 > yyy.yyy.yyy.187.80: Flags [s], cksum 0xd415 (correct), seq 1832148097, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 11:49:38.558729 IP (tos 0x0, ttl 121, id 20064, offset 0, flags [none], proto TCP (6), length 52) xx.xxx.157.15.53359 > yyy.yyy.yyy.187.80: Flags [s], cksum 0xe901 (correct), seq 3693933042, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 As I can see from the packet capture, the only traffic I see is between the external host and the WAN IP, no traffic is being passed to the internal host on the LAN segment. These are my port forward rules: WAN TCP * * WAN address 80 (HTTP) xx.yy.48.57 80 (HTTP) WAN TCP * * WAN address 3389 (MS RDP) xx.yy.48.55 3389 (MS RDP) Allow RDP WAN TCP * * WAN address 22 (SSH) xx.yy.48.57 22 (SSH) Allow SSH Of course, running 2.1.3, the associated firewall rules have been added and are linked. I just can't see where I'm going wrong, and why this doesn't work. Any suggestions or anything either of you can see wrong? -- Yours sincerely Jostein Elvaker Haande "A free society is a place where it is safe to be unpopular" - Adlai Stevenson http://tolecnal.net -- tolecnal at tolecnal dot net[/s][/s][/s] -
Do you have changed the WebConfigurators port? The default setting is port 80. If you don't change the port, the primary WAN address:80 will not be forwarded, but additional addresses at WAN.
LAN: 10.58.48.250/16 - gateway: 10.58.48.1
If pfSense itself is your LAN gateway you must not set it up in pfSense.
-
I've tried to port forward other ports as well, such as RDP (3389), SSH (22), HTTPS (443) and a few others and none of them work. I see the traffic hitting the WAN interface, but it isn't getting forwarded.
-
I can also add the following information:
-
When enabling logging on the associated rules, I can see from the firewall logs that it's being accepted
-
Packet capture on the LAN side reveals no traffic being passed on from WAN
-
There are NO floating rules
-
When SSH'ing to the pfSense, I can telnet to the services running on the LAN
I just can't understand why this is failing.
-
-
LAN: xx.yy.48.250/16
So this is a public address? Why are you blocking out the first 2 octets if private?
Lan is a /16 for all we know you have overlap in your lan and wan?
You didn't put a gateway on your LAN interface did you? is your lan rfc1918 space or public space that is routed to you? If its public space routed to you - why are you natting it?
Port forwarding would be for when you nat, if your just routing then you should make sure nat is off, and just use firewall rules to all the traffic you want to go through.
-
LAN: xx.yy.48.250/16
So this is a public address? Why are you blocking out the first 2 octets if private?
Lan is a /16 for all we know you have overlap in your lan and wan?
You didn't put a gateway on your LAN interface did you? is your lan rfc1918 space or public space that is routed to you? If its public space routed to you - why are you natting it?
Port forwarding would be for when you nat, if your just routing then you should make sure nat is off, and just use firewall rules to all the traffic you want to go through.
LAN is 10.58.0.0/16, and the reason I've blocked it is simply because it's rather common to obfuscate configuration information when posting to public forums.
There is no overlap between the WAN and LAN interfaces, as the WAN has a publicly routed IP while the LAN segment resides on a private address space. As for a gateway on the LAN interface, none has been set (was at some point, but for testing purposes).
Seeing as I can't route the traffic directly, and I'm dealing with both public and private address space, I've had to set up NAT. I've set up several dozen pfSense installations over the years, and NAT-ing is normally a walk in the park, but not with this setup.
-
"simply because it's rather common to obfuscate configuration information when posting to public forums."
Not when its rfc1918, and if you did want to hide it a bit showing 10.x.x.250/16 would of shown its private space, etc. and a different network.
" I've had to set up NAT"
Out of the box nat would be active - you should not have had to do anything.. If you did, seems you might of done it wrong.
Out of the box public IP on wan, private on lan there would be nothing to really setup. Bing bang zoom up and running.
I would suggest checking for host firewalls - but you state "no traffic is being passed to the internal host on the LAN segment."
Your 80 is bad example if your running web gui on that port on pfsense.. I would check with ssh, so from outside you see packets at wan but nothing leaving lan interface.. Then you got a configuration problem with pfsense. Is your nat set to automatic? You mention you can ping hosts from pfsense and see packets from wan.. Are hosts actually using pfsense for internet and their default gateway? And this is working? If clients are pointing to pfsense as their default gateway then your forwards are not going to work because of asynchronous routing
But you say your not seeing the packets even go to the client when you sniff on the lan interface of pfsense? So couldn't even be that.
