Port forwarding

tresrob

Hi

I tried to configure the forwarding of a port from a wan address to a specific internal address and everything works.
But if I restrict access to a single public IP it does not work.
I entered the public ip as a single host.
What did I do wrong?

Derelict

Maybe you didn't clear existing states.

How did you test? From where?

tresrob

@Derelict:

Maybe you didn't clear existing states.

How did you test? From where?

Thanks

Yesi have clear existing states but nothing change…. :'(

I have test from public ip address that i have insert as single/host

johnpoz

Your going to have to post your rules and forward if you want us to try and help you figure out what your doing wrong.

tresrob

@johnpoz:

Your going to have to post your rules and forward if you want us to try and help you figure out what your doing wrong.

Oh yes this is my configuration:

I have a wan card with address 10.10.10.2

I have a router with address 10.10.10.1

Card LAN network with address 192.168.4.0

Internal server address 192.168.4.180

External ip address 11.11.11.20

Now :

Firewall Nat rule

Interface Protocol Source Address Source Ports Dest. Address Dest. Ports NAT IP NAT Ports Description Actions

WAN TCP         11.11.11.20             *                 WANP address 22 (SSH) 192.168.4.180         22 (SSH)

Only if i remove 11.11.11.20 and insert blank i can connect to port 22

that's all

Thanks

Derelict

Then your connection is not arriving at the destination sourced from 11.11.11.20.

Look at the firewall logs and packet capture if necessary to confirm.

johnpoz

Is your wan IP public or rfc1918 those 10 address?  Your wan is behind a nat?

Yes you need to validate with your sniff that on wan that traffic is actually hitting your wan IP from the source IP you think it should be hitting from.

"Card LAN network with address 192.168.4.0 "

You mean that is your network and your pfsense lan IP is .1-254?  Or you using a something other than /24 for your mask?  with /24 .0 is not really a valid host IP for your interface..

tresrob

Then your connection is not arriving at the destination sourced from 11.11.11.20

–-> Yes I confirm it is

Is your wan IP public or rfc1918 those 10 address?  Your wan is behind a nat?

Yes is public address - mask 29

this is packet caputure logs

10:50:13.997467 IP 10.10.10.1.10245 > 10.10.10.2.22: tcp 0
10:50:17.007331 IP 10.10.10.1.10245 > 10.10.10.2.22: tcp 0
10:50:23.010462 IP 10.10.10.1.10245 > 10.10.10.2.22: tcp 0
10:52:01.427962 IP 10.10.10.1.23525 > 10.10.10.2.22: tcp 0
10:58:09.221989 IP 10.10.10.1.29824 > 10.10.10.2.22: tcp 0
11:04:45.090509 IP 10.10.10.1.3114 > 10.10.10.2.22: tcp 0
11:16:36.269870 IP 10.10.10.1.17859 > 10.10.10.2.22: tcp 0
11:20:02.465954 IP 10.10.10.1.2250 > 10.10.10.2.22: tcp 0

Log firewall –- Nothing

johnpoz

"10.10.10.1.1024"

Sorry but hat is not 11.11.11.20 so why would it be forwarded?

Obfuscating address are not going to let us help you..  especially when you change it to be something that clear would not work per your rule.  That IP is from what you stated is your wan gateway IP, not some public IP 11.11.11.20