Problem with NAT. Can't forward port from WAN to LAN.

tarmenel

Thank you. Thank you. Thank you. Thank you. Thank you. Thank you.
You just solved my issue with the Virtual IP.
I've spent weeks trying to get this working.

wwatanabe

Sorry if I can't post my question here, but I have a similar problem. I'm using PFSense 2.1.5 and it working in all other sites with NAT, MultiWan, etc. But now we have a customer where it's not working.

"Yes, I had RTFM Port Forward Troubleshooting, but it is not helped.Tried google forum, wiki, etc., and my brain is overheated, but i cant find solution :c"

Cenario:

MODEM in Bridge Mode -> (WAN: VALID IP) PFSENSE (LAN: 192.168.10.252) -> LAN -> HOST (IP: 192.168.10.251)

NAT
Interface: WAN
Protocol: TCP/UDP
DST: WAN_Address
DST Port: 43390
Redirect: 192.168.10.251
Redirect Port: 3389
Create new associated filter rule

WAN
Pass
Interface: WAN
TCP/UDP
From: Any
DST: 192.168.10.251
DST Port: 3389

LAN
Allow everything from LAN NET to ANY.

===================

I tried with other NAT but no one works. VPN also don't work in this installation. I've tried with 2 different ISPs, one with Dynamic Address and other with fixed IP. All of them in bridge and not blocking services. I've tried with other Router and it works.

===================

I run a TCPDUMP in on of our PFsense where NAT is working and I have:

http://pastebin.com/pJCBgX6x

There are a return from PFSense IP when communication.

On this PFSense where NAT doesn't work the TCPDUMP shows:

tcpdump -ni igb0 | grep 43390
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb0, link-type EN10MB (Ethernet), capture size 96 bytes
22:55:12.593966 IP 177.143.120.78.35814 > 200.200.200.200.43390: Flags [ S ], seq 1345026210, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
22:55:15.591285 IP 177.143.120.78.35814 > 200.200.200.200.43390: Flags [ S ], seq 1345026210, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
22:55:21.585046 IP 177.143.120.78.35814 > 200.200.200.200.43390: Flags [ S ], seq 1345026210, win 8192, options [mss 1460,nop,nop,sackOK], length 0

There are no return from host.

=================================

I've tried everything. Inicially I'm using LoadBalance and two links, now I disabled the second link, delete LoadBalance and the problem persist.

Any help ?

========================

Derelict

Check the default gateway on 192.168.10.251
Check the software firewall on 192.168.10.251

wwatanabe

Thanks for fast reply.

I already did it. The gateway is pointing to 192.168.10.252 wich is the LAN IP of PFSense
Firewall Disabled.

The RDP access work fine from LAN.

Derelict

Working from LAN means nothing.  Check the firewall on the host to be sure it allows connections from OTHER THAN LAN.

wwatanabe

The Firewall on Host is disabled.

The Antivirus is disabled.

I also tried with other Windows Server on the network, same problem.

And tried with other service (DVR) in other host, same problem.

Thanks for helping !
Sorry for my poor english.

Derelict

Well, there's not much else to a port forward, so it has to be something.  Does tcpdump on LAN show the SYNs going from 177.143.120.78 to 192.168.10.251:3389?  What states are created? (Diagnostics > States).

Load sharing…  Are you sure you have the port forward on the interface that has the IP specified?  Are the clients connecting to the right interface?

wwatanabe

I'm new with PFSense and TCPDump, sorry if it's not what you ask.

I Run TCPDump and try to connect with RDP.

==================
em1 -> LAN

[2.1.5-RELEASE][root@host]/root(14): tcpdump -ni em1 | grep 192.168.10.251.3389
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 96 bytes
23:36:44.807796 IP 177.143.120.78.45783 > 192.168.10.251.3389: Flags [ S ], seq 3165976847, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
23:36:44.807877 IP 192.168.10.251.3389 > 177.143.120.78.45783: Flags [S.], seq 3448840707, ack 3165976848, win 16384, options [mss 1460,nop,wscale 0,nop,nop,sackOK], length 0
23:36:44.832998 IP 177.143.120.78.45783 > 192.168.10.251.3389: Flags [.], ack 1, win 4380, length 0
23:36:44.833113 IP 192.168.10.251.3389 > 177.143.120.78.45783: Flags [R], seq 3448840708, win 0, length 0
23:36:44.839389 IP 177.143.120.78.45783 > 192.168.10.251.3389: Flags [P.], ack 1, win 4380, length 19
23:36:44.839444 IP 192.168.10.251.3389 > 177.143.120.78.45783: Flags [R], seq 3448840708, win 0, length 0

======================

[2.1.5-RELEASE][root@macfw001.macco.local]/root(12): tcpdump -ni em1 | grep 177.143.120.78
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 96 bytes
23:35:59.469877 IP 177.143.120.78.46898 > 192.168.10.251.3389: Flags [ S ], seq 1760568614, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
23:35:59.469985 IP 192.168.10.251.3389 > 177.143.120.78.46898: Flags [S.], seq 408005352, ack 1760568615, win 16384, options [mss 1460,nop,wscale 0,nop,nop,sackOK], length 0
23:35:59.492434 IP 177.143.120.78.46898 > 192.168.10.251.3389: Flags [.], ack 1, win 4380, length 0
23:35:59.492551 IP 192.168.10.251.3389 > 177.143.120.78.46898: Flags [R], seq 408005353, win 0, length 0
23:35:59.505291 IP 177.143.120.78.46898 > 192.168.10.251.3389: Flags [P.], ack 1, win 4380, length 19
23:35:59.505347 IP 192.168.10.251.3389 > 177.143.120.78.46898: Flags [R], seq 408005353, win 0, length 0
23:36:00.260803 IP 177.143.120.78.33622 > 192.168.10.251.59387: UDP, length 97
23:36:00.289429 IP 177.143.120.78.33622 > 192.168.10.251.59387: UDP, length 40
23:36:00.289537 IP 192.168.10.251.59387 > 177.143.120.78.33622: UDP, length 52
23:36:05.662522 IP 177.143.120.78.39432 > 192.168.10.251.3389: Flags [ S ], seq 871328353, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
23:36:05.662592 IP 192.168.10.251.3389 > 177.143.120.78.39432: Flags [S.], seq 939867809, ack 871328354, win 16384, options [mss 1460,nop,wscale 0,nop,nop,sackOK], length 0
23:36:05.684492 IP 177.143.120.78.39432 > 192.168.10.251.3389: Flags [.], ack 1, win 4380, length 0
23:36:05.684594 IP 192.168.10.251.3389 > 177.143.120.78.39432: Flags [R], seq 939867810, win 0, length 0
23:36:05.691017 IP 177.143.120.78.39432 > 192.168.10.251.3389: Flags [P.], ack 1, win 4380, length 19
23:36:05.691078 IP 192.168.10.251.3389 > 177.143.120.78.39432: Flags [R], seq 939867810, win 0, length 0
^C189 packets captured
191 packets received by filter
0 packets dropped by kernel

=======================

There are just a LAN interface, it's connected in the LAN Switch and all Hosts are surfing ok, accessing PFSense as gateway and Proxy/Squid/SquidGuard is working fine.

STATES with 177.143.120.78 (Filtered)

tcp  200.200.200.200:40022 <- 177.143.120.78:48036  ESTABLISHED:ESTABLISHED 
udp  177.143.120.78:33622 <- 192.168.10.251:59387  MULTIPLE:MULTIPLE 
udp  192.168.10.251:59387 -> 200.200.200.200:30913 -> 177.143.120.78:33622  MULTIPLE:MULTIPLE 
tcp  200.200.200.200:40443 <- 177.143.120.78:36373  TIME_WAIT:TIME_WAIT 
tcp  200.200.200.200:40443 <- 177.143.120.78:42641  ESTABLISHED:ESTABLISHED 
tcp  200.200.200.200:40443 <- 177.143.120.78:49046  TIME_WAIT:TIME_WAIT 
tcp  200.200.200.200:40443 <- 177.143.120.78:46285  ESTABLISHED:ESTABLISHED

wwatanabe

http://imgur.com/a/c5sDz

Image with the Rule and NAT.

Derelict

I guess I give up.  I could do the same port forward 1000 times and it would work every time.

Your network is in an extremely insecure state right now.

Derelict

It looks like the NAT is working, to me.  No idea why you can't establish a session.

wwatanabe

I put the network in this open situation for testing this NAT problem.

Thanks a lot for you help. I think I'll try to reinstall PFSense.

Regards,

Wellington

johnpoz

"23:35:59.492551 IP 192.168.10.251.3389 > 177.143.120.78.46898: Flags [R], seq 408005353, win 0, length 0"

Sure looks like box your trying to rdp to, and was correctly forwarded by pfsense is sending RESET

So what does that have to do with pfsense??  Why don't you download the sniff and open it in wireshark.. But you need to look on the box to see why its sending RESET!!

Derelict

Probably disallowing connections from foreign networks but he doesn't want to listen.  "It works fine from LAN."

tom-- 1

Hi farion

Your dropbox-links are annoying, because they are no longer available - and therefore other users can not benefit from this post: your pictures are missing now :-(

It would help if you just attach pictures to your posts as other users are doing.

Thanks a lot in advance,
kind regards,
Tom