Firewall rules and NAT
-
Not really sure where to start but here's a brief outline of where I'm upto. I've got an old BT modem and I've successfully managed to get it configured with my PFSENSE box in the middle with a switch connecting my old BT homehub 5. Everything is connected to it and my wireless is also working fine.
Here's my problem, I've got a FreeNAS box also connected, of which I need to setup ftp access via a web browser for clients and I also use it for Plex and various torrent applications. I can't for the life of me get any of the Firewall rules or Port forwarding to work. I've opened ports before on the old BT gear so kind of know what i'm doing, however I'm wondering if this is some kind of config issue I'm not aware of?
Even just trying to open up port 80 with all manner of different configs brings me no luck when I use a online "port open tool"
Here's my config.
External IP: 86.186.195.19
gateway: 192.168.1.1
freenas: 192.168.1.16my internal ftp server is on 192.168.1.16 (port21)
So how should i have it configured to access my ftp server? as in the source, destination and destination port range?
Also one final thought and I don't know if it makes any difference but my WAN setup is PPPoE rather than DHCP.
Thanks In advance. :)
-
Wrong Tab.
first go to NAT->Port Forwarding and set up access there, thick automatic firewall rule generation (it will generate the linked firewall rule on WAN). -
I've done it both ways, with all manner of setup options. Still no joy : (
-
I'm sure this has something to do with my config between the pfsense box and the old BT modem. I just can't get any ports to open. Is it possible the modem is locked down somehow?
-
If your modem is not running in bridge mode, there is a very good chance it's blocking the incoming connections.
-
Is there a way to test if it's in bridge mode? I don't think I can connect into it?
-
Is PFSense getting public or private IP address? I know you mentioned you have an "external" IP, but to me that does not indicate what IP you are actually being given.
-
It's a public IP as far as i'm aware. I've managed to set DDNS up with "no-IP" and I've noticed it change after a couple of reboots.
-
That 'modem' only has bridge mode unless you unlock it, which you haven't. ;) You have the correct public address on the pfSense WAN.
How are you testing the portforward? It must be tested from outside your network. See:
https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networksI would use some other DynDNS provider as No-IP give me endless trouble. You pretty much need to change your IP at least every 21days or use their payed service.
Steve
-
Hi Stephen, The new Echolife HG612 has just arrived this morning so I'm going to have a play with that later. As for the testing of port forwarding I've been using http://www.canyouseeme.org/ I've tested ports in the past from my browser at home and this always seemed to be accurate? And I've actually got the paid service with No-IP as the 30day limit was driving me nuts also. : )
One question: If i can get this HG612 into bridged mode I take it I still need to set the WAN up in PPPoE and not DHCP? I'll just need to disable NAT and DHCP on it?
It also states it's using firmware version V100R001C01B028SP10, not sure If I need to flash it with a newer version?
Thanks again mate :)
-
All the Openreach modems are in fact routers that have been locked into bridge mode. Unless they have been unlocked you do not need to configure them at all. You should be able to talk to the BT end using PPPoE. You appear to have set that up successfully already since you have a public IP on your WAN.
Do you see anything in the firewall logs?
Please post screenshots of your firewall rules and port forwards.
Steve
-
I've installed the new HG612 modem and I still can't seem to get this working. I had to change a few of the setting initially to get my pfsense box to pick it up on the WAN. I wasn't sure if I needed to change the Routing config on the modem as per the bottom attachments.
-
Here the firewall log also…When I click the red x it states for all of them: @3 block drop in log inet all label default deny rule ipv4
-
You're seeing UDP blocked on WAN because your WAN rules only allow TCP.
-
I don't know if it can help but check your modem has firewall off.
-
All those firewall hits are just random traffic from the internet being blocked, correctly.
Were you trying to connect to the port forwards during the time that log was taken?I've never had an unlocked HG612 to play with so I can't really advise you on that. However both my Openreach modems here have no problems passing traffic of any kind. It's hard to see how that could be playing much of a role here anyway since your public IP is on the pfSense WAN.
FTP can sometimes behave oddly anyway I would test with HTTP to prove you have it working. All your screenshots look good to me though. :-\
The most likely explanation seems to be that the test traffic simply isn't arriving for whatever reason. Can you ask someone else to test externally? Or use a 3g connection etc?
Steve
-
Yup. Your config looks good. You sure your provider isn't filtering inbound ftp http?
-
As soon as I put my HH5 back in and set that up as before I can get FTP working straight away, along with all the other rules I need. So It can't be the ISP. I've tried that many different config firewall/port rules in pfsense that I'm sure it has something to do with the config between the HG612 and pfsense. I've spent hours with it now and I'm close to calling it a day. I'm thinking of getting one of these http://www.draytek.com/index.php?option=com_k2&view=item&id=5240&Itemid=3810&lang=en It looks a bit more user friendly and made for the job.
-
I used their v120 with adsl for a few years with great success. I wasn't aware of the v130 but I would expect it works well. However I doubt it will help with your issue. I can't believe the hg612 (especially one that's been unlocked) is doing anything by way of filtering.
Are you using the same ppp login details on the HH5 and in pfSense?Incoming traffic on the WAN hits the port forwarder before the firewall so if there are no hits in the firewall it could be being forwarded incorrectly.
Alternatively the port forward may be working correctly and the internal machine is not responding or maybe has changed IP address. I see you're using an alias for the internal machines, what is that resolving to?The next step here would be to check the states table to see if the incoming traffic is shown. You could also run a packet capture to check for packets on wan or lan.
Steve
-
The next step here would be to check the states table to see if the incoming traffic is shown. You could also run a packet capture to check for packets on wan or lan.
That's what I'd do next. packet capture on WAN, look for SYN packets on tcp 80 or 21. If they're there, capture on LAN and you will see them leaving translated.