NAT Port-Forwarding

chieh

@kpa
Hi Sir , I don't understand "This condition will never be satisfied because the client will be using a randomized TCP source port as per the TCP standard"
The ip of my Win7 client is static.

Derelict

Because when a node makes a connection it will randomly choose an ephemeral port to source the connection from - generally between 1024 and 65535. The destination port is HTTP (80).

By setting a source port on your rules, the rule will only match if the source and destination ports are both 80. 80 cannot be a source port - ever - because the ephemeral source ports start at 1024.

You had to click advanced then ignore this Specify the source port or port range for this rule. This is usually random and almost never equal to the destination port range (and should usually be 'any'). The 'to' field may be left empty if only filtering a single port. to get where you are right now - broken.

jahonix

@chieh said in NAT Port-Forwarding:

The ip of my Win7 client is static.

a TCP port (e.g. port 80 / HTTP) is something completely different than an IPv4 address

chieh

Dear all, That's some questions I'm confuse

I understand the web of client is on 80 port,so I change the port of my pfsense wan port to 9443
Is it wrong ?

And u say that the NAT protocol port of pfsense is random,so I can't set the specify port for my lab ?

Derelict

JUST DON'T SET A SOURCE PORT RANGE IN YOUR PORT FORWARD! CHANGE THEM TO ANY!

jahonix

It's not that difficult...

0_1531869228892_NAT HTTP to local host.png

chieh

It seems not difficult,but I try it .It don't work too.
0_1531880250889_819f3c84-15f8-48c0-881f-0b8442cfeb8d-image.png

And now I can't connect to my web-gui with my wan port
0_1531880373832_d0210d36-d311-4281-a6e7-8b36ed22b157-image.png

That's an other interesting setting. I can use the RDP by NAT.
0_1531882249922_1b48df35-0e59-43b9-b430-cdca973b30cf-image.png

jahonix

@chieh said in NAT Port-Forwarding:

It seems not difficult,but I try it .It don't work too.

So you have something else broken as well. You seem effective in doing so.

@chieh said in NAT Port-Forwarding:

And now I can't connect to my web-gui with my wan port

That has nothing to do with your previous problem but it's great to hear!
-> you DO NOT want the pfSense UI on the public internet. You don't!
If you need access from non-local sites then use a VPN.

@chieh said in NAT Port-Forwarding:

That's an other interesting setting. I can use the RDP by NAT.

You can but you don't want to. Same as pfSense UI, you do not want to expose RDP to the internet. Use a VPN instead.

johnpoz

Going to repeat jahonix warnings - you do NOT want to open web gui to the public, nor would you want to allow rdp into your network. VPN is better choice here.

If your RDP port forwarding is working, then look to why your http is not.. Maybe http (80) is not even getting to your wan? Maybe your host your forwarding to is not even listening on 80, maybe it has a host firewall?

Here is troubleshooting guide for port forwarding.
https://www.netgate.com/docs/pfsense/nat/port-forward-troubleshooting.html

I can tell you from being here for 10 some years that 99.99999999% of the time port forwarding problems are PEBKAC..

With basic troubleshooting it should take you all of 2 minutes to find out what is not correct for the forward to work.. Step 1 if you feel the forward is correctly done is validate that the traffic your trying to forward actually gets to pfsense wan. Packet Capture simple enough to do with the diag menu. Impossible for pfsense to forward something it never sees.

chieh

@johnpoz - you do NOT want to open web gui to the public, nor would you want to allow rdp into your network. VPN is better choice here.

IT is wrong. I use the RDP just I want to test the NAT can be work.....

Finally I wish I can both connect the Pfsense webUI with wan port & connect to my clinet webUI

Derelict

They way you have it now you will have to connect to the web gui on https://wan.address:9443/ (If you have the proper firewall rules on WAN. I will not belabor the point that it is a bad idea to have that open from any address.)

That will be completely unrelated to any http traffic on any interface on port 80.

If your WAN rules pass traffic source address any source port any dest address 192.168.1.3 dest port 80 (which is the default for a port forward rule if you do not change the rule creation and linking selection at the bottom of the port forward definition), traffic to WAN Address:80 will be forwarded to 192.168.1.3:80.

If that is not working, you need to see why that web server is not answering.

As @johnpoz said, the checklist of things to look at is here:

https://www.netgate.com/docs/pfsense/nat/port-forward-troubleshooting.html