Firewall rules and NAT
-
Here the firewall log also…When I click the red x it states for all of them: @3 block drop in log inet all label default deny rule ipv4
-
You're seeing UDP blocked on WAN because your WAN rules only allow TCP.
-
I don't know if it can help but check your modem has firewall off.
-
All those firewall hits are just random traffic from the internet being blocked, correctly.
Were you trying to connect to the port forwards during the time that log was taken?I've never had an unlocked HG612 to play with so I can't really advise you on that. However both my Openreach modems here have no problems passing traffic of any kind. It's hard to see how that could be playing much of a role here anyway since your public IP is on the pfSense WAN.
FTP can sometimes behave oddly anyway I would test with HTTP to prove you have it working. All your screenshots look good to me though. :-\
The most likely explanation seems to be that the test traffic simply isn't arriving for whatever reason. Can you ask someone else to test externally? Or use a 3g connection etc?
Steve
-
Yup. Your config looks good. You sure your provider isn't filtering inbound ftp http?
-
As soon as I put my HH5 back in and set that up as before I can get FTP working straight away, along with all the other rules I need. So It can't be the ISP. I've tried that many different config firewall/port rules in pfsense that I'm sure it has something to do with the config between the HG612 and pfsense. I've spent hours with it now and I'm close to calling it a day. I'm thinking of getting one of these http://www.draytek.com/index.php?option=com_k2&view=item&id=5240&Itemid=3810&lang=en It looks a bit more user friendly and made for the job.
-
I used their v120 with adsl for a few years with great success. I wasn't aware of the v130 but I would expect it works well. However I doubt it will help with your issue. I can't believe the hg612 (especially one that's been unlocked) is doing anything by way of filtering.
Are you using the same ppp login details on the HH5 and in pfSense?Incoming traffic on the WAN hits the port forwarder before the firewall so if there are no hits in the firewall it could be being forwarded incorrectly.
Alternatively the port forward may be working correctly and the internal machine is not responding or maybe has changed IP address. I see you're using an alias for the internal machines, what is that resolving to?The next step here would be to check the states table to see if the incoming traffic is shown. You could also run a packet capture to check for packets on wan or lan.
Steve
-
The next step here would be to check the states table to see if the incoming traffic is shown. You could also run a packet capture to check for packets on wan or lan.
That's what I'd do next. packet capture on WAN, look for SYN packets on tcp 80 or 21. If they're there, capture on LAN and you will see them leaving translated.
-
Ok so I've got a little further today, I've manged to open up port 21 to enable public access to my ftp server but a few things are confusing me slightly. I tested the port was open with an on line port check program and it came back good, but when I entered the ftp address i couldn't access it from within my home network. My friend tested it from his house and could see it fine. I know I can access it by entering the ip address internally but beforehand with the old bt home hub i could still see it by entering the ftp address. Not that it matters but I was just curious as to why this was?
My main issue now is that I can't seem to do the same for other ports? The only other port I've managed it with is https port 443
Home PC- 192.168.1.40
FreeNas server- 192.168.1.16I tried with http port 80 for example and I forwarded it to my PC and then also to the NAS as I'd had success that way with the ftp but it won't open?
-
The reason you can't test it from inside the network is this:
https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networksThere are some workarounds on that page.
The second rule forwarding port 80 will never be hit because all traffic will be caught by the first rule.
What are you running on the Home PC that's responding on port 80? Is it responding?
Steve
-
Hi and thanks again Stephen :)
I'm not running anything on port 80, I just wanted to see if I could open it and then see it open in canyouseeme.org. The only other thing I need to get working now really are a few jails that are installed on my Freenas system, like Transmission and Sabnzdb. Here's how it's setup for example:
FreeNAS 192.168.1.16
Transmission Jail 192.168.1.3:9091
SABnzdb jail 192.168.1.6:8080
I think before on the homehub I just opened ports 9091 and 8080 and then forward them to the jail IP's, but this doesn't seem to be working this time. I'm getting myself confused if I need to forward these to the FreeNAS IP or the jails now!! arghh :-\
I did create another thread…thought it best to keep that part separate from this....https://forum.pfsense.org/index.php?topic=86485.0
-
Ah, well if there is nothing responding it might not show any differently. It depends how it's bring tested. The default action of the pfSense firewall is to silently drop unsolicited incoming traffic. It's forwarded to a machine that isn't listening on the port it may respond as closed. You would see that using a scan as Shields Up.
Steve
-
ah, that would explain it…I guess this is where pfsense works differently from my old router?
-
Yes, possibly though I wouldn't have expected it to. Hard to say without testing the HH5. :-\
Steve
-
No matter what port I opened up on the HH5, regardless of whether it was in use or not, I could always get a "port open" response from http://www.canyouseeme.org/.
-
Conversly I have three high numbered ports open here and it can only 'see' one of them. It sees a port forwarded to a skype phone. It doesn't see a Skype port forwarded to a machine that's currently off (as expected). It doesn't see my openvpn server even though it's definitely listening.
Steve