Not forwarding back packets through NAT firewall
-
@KOM:
Hmm. Did you also add your TCP 22 rule to WAN? Are you running any extra packages like Snort or pfBlocker? Which version of pfSense? This should just work.
No extra packages, straight up default install besides configuring interfaces and the firewall rules. pfsense 2.2.2-RELEASE (amd64).
Here are my WAN rules.
-
Anything in Status - System logs - Firewall when you run your tests? This is literally dead-simple. Any particular reason you're not using 2.2.4? Not that I'm aware of any such issue in 2.2.2, but I always prefer to debug on current versions so you aren't chasing ghosts that have already been fixed in updated versions.
-
@KOM:
Anything in Status - System logs - Firewall when you run your tests? This is literally dead-simple. Any particular reason you're not using 2.2.4? Not that I'm aware of any such issue in 2.2.2, but I always prefer to debug on current versions so you aren't chasing ghosts that have already been fixed in updated versions.
Right? I figured it'd be super easy to do, just not sure why it's not. I'm only using 2.2.2 because that's what my ISO is when I installed.
I cleared the firewall logs and then ran my FTP and SSH tests, and nothing is really showing up.
-
Are you doing this on physical machines or virtual machines?
-
@KOM:
Are you doing this on physical machines or virtual machines?
pfsense and everything in the 10.0.0.x network would be virtual machines under the same host. 192.168.1.x are all physical. Here's my network configuration on the ESX host.
-
Currently I can see that my FTP server gets a TCP SYN packet, but nothing else happens.
Then the problem is on your FTP server. Local firewall? Is FTP even running?
FTP is running, I can connect to it from boxes in my 10.0.0.x range. No local firewall running. But even so, I'm trying with more than just FTP.
It doesn't matter. You said the FTP server receives the SYN and nothing else happens. There is nothing your firewall can do to make your FTP server return a SYNACK.
So either I misunderstood what you were saying or you're chasing phantoms in your firewall when you should be looking at the server.
-
Currently I can see that my FTP server gets a TCP SYN packet, but nothing else happens.
Then the problem is on your FTP server. Local firewall? Is FTP even running?
FTP is running, I can connect to it from boxes in my 10.0.0.x range. No local firewall running. But even so, I'm trying with more than just FTP.
It doesn't matter. You said the FTP server receives the SYN and nothing else happens. There is nothing your firewall can do to make your FTP server return a SYNACK.
So either I misunderstood what you were saying or you're chasing phantoms in your firewall when you should be looking at the server.
Well, true. But I'm still getting the same results with SSH as well, no connection is being made. There's no host based firewall, and computers in the same network can make connections, so I'm guessing it's something within pfsense that's not working.
-
Dude. If you saw the SYN go to the server and nothing came back out IT'S NOT PFSENSE!
Likely cause 1: There is a local firewall on the server. (you don't see the SYNACK because the server is dropping the SYN)
Likely cause 2: pfSense is not the default gateway on the server. (you don't see the SYNACK because it's going out another interface)
https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
-
Dude. If you saw the SYN go to the server and nothing came back out IT'S NOT PFSENSE!
Likely cause 1: There is a local firewall on the server. (you don't see the SYNACK because the server is dropping the SYN)
Likely cause 2: pfSense is not the default gateway on the server. (you don't see the SYNACK because it's going out another interface)
https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
1. There's no firewall on the machine. No iptables rules. Nada. Other machines inside the network can access FTP/SSH/ncat on the machine.
2. If you look at the following screenshot, you'll see that pfsense (10.0.0.1) is the default route and gateway on the FTP/SSH machine I'm trying to test on.
-
Don't know then. If the SYN is getting to the server and no SYNACK is coming out, it's not the firewall. It sent the SYN like it's supposed to.
-
The question now is, is the SYNACK from server being blocked, or is it not even being sent? Where are you doing your packet capture? On one of pfSense's interfaces or the server? Do you know that the server is receiving the initial SYN at all?
-
@KOM:
The question now is, is the SYNACK from server being blocked, or is it not even being sent? Where are you doing your packet capture? On one of pfSense's interfaces or the server? Do you know that the server is receiving the initial SYN at all?
If you take a look at the images in my first post, you'll see one with Wireshark running, and another with two Putty instances. Wireshark is running on my Kali Linux box which is where the FTP server is living. From there you can see the SYN being accepted on the box, but no SYNACK being sent. The two Putty instances are SSH to the pfsense box, and have tcpdump running on both the WAN and LAN interfaces looking at port 21. There's some traffic going through there as you can see.
-
This just gets weirder and weirder. If you're doing the capture on the server itself, and you can see the incoming SYN from the client but no corresponding SYNACK from the server, then pfSense has nothing to do with it. Are you absolutely positive that you don't have some firewall on the box that is refusing to talk to anything non-local?
-
Agree with KOM on that for sure.. If your sniffing on the actual server and you see a syn and no syn,ack back then that has nothing to do with anything other than that server. Be it a firewall that never let the syn get to the application, or application not even running or listening on that port the syn went to. Or it sent it out a different interface, or firewall blocking the outbound traffic from that application, etc.
But for sure its the box.. unless for some reason that syn was so malformed that was not answered. Which seems very far fetched.
