Default Deny rule getting in the way
-
"The Logs show this:
May 11 17:49:53 WAN 10.0.0.254:11991 10.0.0.1:3389 TCP:S""The port Alias contains TCP 1723 and 3391"
Your not hitting the port your wanting to use.. your block is to 3389, but your forward is for 1723 and 3391
-
yeah sorry that's a mistype, the rules are for RDP port 3389…idk where 3391 came from. This issue occurred as well with PPTP port as well when selected from the list rather than typing in the number directly.
-
Why would anyone be running pptp?? It has been deprecated for years!! it has not been secure for 5 some years. Pfsense finally even removed the pptp vpn server..Nobody anywhere should be running pptp still.
As to rdp - this is just BAD idea to allow from the internet. Should be done via a vpn connection. But if you really want to forward to something, then do so - forwarding will happen before the default deny.
-
Ummm… The default deny is supposed to be the last rule, only run when all previous rules fail. If you have a valid rule for what you want, you should never hit default deny. Also, not having a default deny would let pretty much anything through, unless specifically blocked earlier.
-
That's the thing about the Default deny rule… it doesn't actually list it. It's an "implied rule" so i can't move it's position one way or the other so i assume it's always the last on the list.
As for PPTP, yes i'm aware of it's security status. There are reasons for it that i don't have to explain to people who aren't providing any useful information
As for RDP being open, yes i am also aware of that as well. I purposefully close it off where ever possible with my clients and if you actually took the time to read and comprehend the words i put in front of you, you would have seen this line "The port Alias contains TCP 1723 and 3391, RDP being for testing purposes." RDP is open for testing because it's faster to get an obvious fail on RDP than a port scan or VPN handshakes. Not to mention of course the firewall is not in line while this is resolved simply because they need access with the VPN and the router is handling it admirably until this is resolved.And before you go into "oh but not having a firewall is bad" yes i am aware of that as well that's why i'm trying to INSTALL pfsense and get it setup for them. I hope we've gotten the obvious shitposting complaints out of the way and can make with real assistance.
-
Post your NAT and firewall rule screen shots. It is pretty much impossible to tell if you are posting a port forward or an outbound NAT. If you are port forwarding it is pretty uncommon for the source address and the dest address to be on what appears to be the same subnet by the time it hits the firewall (NAT should have already occurred and the destination address should be the inside NAT target host address):
The Logs show this:
May 11 17:49:53 WAN 10.0.0.254:11991 10.0.0.1:3389 TCP:SIf you are dealing with all inside traffic, I don't know why you're messing about with NAT at all.
(The default deny is actually first in the list. It does not have quick set so other rules have the opportunity to pass traffic before it actually takes effect. If you want to see the actual rule set, /tmp/rules.debug is always there.)
-
"people who aren't providing any useful information"
That would be yourself brah ;)
Where are your screenshots of your port forward? And wan rules… What your saying is just not possible.. Creating the port forward, and then hitting the correct port would not hit the default deny. So either you didn't hit the port your forward like your example with 3891 and 3889.. Typo in your forward - yeah that would do it..
As Derelict asks - post up screenshots.
-
Sorry Derelict i guess i wasn't quite as clear as i thought i was in my OP. Essentially it's going to be double NAT in the end Internet > Router > Firewall > Internal going from public ip to 10.0.0.1/24 between the router and firewall then to 192.168.10.1/24 for internal after the firewall.
Attached are the screens for the forward, NAT, and both Alias pages.
Had to check to see if i was just missing the deny, but first/last/somewhere in the middle, i guess doesn't matter much when it's not listed at all.
Please feel free to mock me a bit more if it was stupidly obvious what i did wrong. I'd expect it since it's the first time i've ever used the pfSense firewall
-
Your first port forward needs a dest of you wan address. And what exactly is dest lan address on your port forward suppose to do??
-
Ah, that was probably changed during the testing i was doing trying to figure out what was going on. Set the destination to the WAN address. The Lan address is the server that's handling the RDP/PPTP traffic.
Attempted connection with RDP after the change with my laptop connected to the WAN port. Directed traffic at the WAN address of the pfSense, failure once again. Nmap scanned the WAN address, no open ports.
-
Then the destination host:
Has a default gateway set that is not pfSense
Has a local firewall preventing the trafficCheck (really check) everything on this list:
https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
