Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Forwarding and ping from WAN dont work. (SOLVED)

    Scheduled Pinned Locked Moved NAT
    forwardingportnatpingwan
    27 Posts 7 Posters 7.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Stefoo
      last edited by Stefoo

      Thanks to everybody for contributing.
      The original post was not related to security, but thanks for you concerns.
      FYI, this is my second PFS box, the first one was with everything you say.

      @johnpoz I am not so experienced and more over with diagnosis.
      I did a packet capture and found traffic is reaching internal IP. So it is not problem of forwarding.
      I changed the forwarding to a Ubiquti device that has gateway. Again I cant open it, I am not reaching any login screen.
      How should diagnose further?

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @Stefoo
        last edited by johnpoz

        @stefoo said in Forwarding and ping from WAN dont work.:

        I changed the forwarding to a Ubiquti device that has gateway

        is this gateway pfsense? Do you not get an answer if you see pfsense forward the traffic..

        For a forward to work, the dest box your forwarding too has to send the traffic back to the IP that forwarded it ;) you can not send your answer via some other gateway..

        I am not reaching any login screen

        You are actually testing this from OUTside right... You can not attempt to hit your wan IP from a box inside to be forwarded back inside and expect that to work without setting up NAT Reflection. You need to be validating your port forwards from external to pfsense. can you see me . org is great place to test if ports are open and reaching client your forwarding to and it answers..

        Here I forwarded 22 to one of my unifi AP that is on 192.168.2.2

        That took all of 30 seconds.

        0_1538650604716_portforward.png

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • S
          Stefoo
          last edited by Stefoo

          !!! This is again of those cases where something is tripping !!!
          Yes, I am testing only from outside.
          Here is my packet capture

          On WAN
          4:57:58.011987 IP 185.12.24.42.62203 > 57.237.109.180.8007: tcp 0
          14:58:01.731203 IP 185.12.24.42.62219 > 57.237.109.180.8007: tcp 0
          14:58:01.985091 IP 185.12.24.42.62224 > 57.237.109.180.8007: tcp 0

          On LAN
          14:54:13.272152 IP 185.12.24.42.61019 > 192.168.100.7.80: tcp 0
          14:54:13.272415 IP 192.168.100.7.80 > 185.12.24.42.61019: tcp 0
          14:54:13.527480 IP 185.12.24.42.61028 > 192.168.100.7.80: tcp 0

          I used www.yougetsignal.com/tools/open-ports/ to check my open ports. It says port 8007 is not open, while I have those rules:
          0_1538654517239_Screen Shot 2018-10-04 at 15.00.12.png 0_1538654527811_Screen Shot 2018-10-04 at 15.00.43.png

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            @stefoo said in Forwarding and ping from WAN dont work.:

            14:54:13.272415 IP 192.168.100.7.80 > 185.12.24.42.61019: tcp 0

            Your box your forwarding too clearly sends a response - what is this response? Is it a RST? Did that actually go back to pfsense IP (mac address?) open that sniff in wireshark

            BTW your rules are WRONG... Just let your port forward create the rules...

            They should look like this..

            0_1538656904323_forward.png

            Why do you have that 8007 rule to any in there?

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • S
              Stefoo
              last edited by Stefoo

              I added that rule just in case, otherwise I leave NAT create its rules.
              I have a question. If a port is forwarded than is it closed? Because port open checker is reporting that port is closed while when sniffing when checker connects its obvious traffic gets trough.
              @johnpoz I guess its not RST. Sorry, I am not good in reading captured packets.
              WireShark on WAN
              0_1538677054697_Screen Shot 2018-10-04 at 21.01.42.png

              WhireShark on LAN
              0_1538677146110_Screen Shot 2018-10-04 at 21.18.26.png

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by johnpoz

                So from that your seeing syn,ack which is the proper answer to a syn - but its not going back out your wan..

                Your taking those sniffs on pfsense lan interface.. And its sending it to pfsense lan mac - from that arp I assume pfsense lan IP is 192.168.100.1 with mac address 00:10:dc:20:a0:87

                Do you have more than 1 wan? What are you rules on your lan? Are you using any sort of captive portal on the lan side?

                What do you have for outbound nat?

                Does this clients internet work? Can it go through pfsense for internet and that works? When you sniffed on wan did you limit that to IP or something. You sure pfsense not sending that traffic back out to your outside IP but didn't nat it - ie sending it out with the 192.168.100.7 address?

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • S
                  Stefoo
                  last edited by

                  This post is deleted!
                  1 Reply Last reply Reply Quote 0
                  • S
                    Stefoo
                    last edited by

                    IT WAS CAPTIVE PORTAL BLOCKING DEVICE TO WAN.

                    @johnpoz Next time I will take 3 beers. One is for you.
                    Thanks for helping.

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      And PEBKAC strikes again ;) This is the root cause of all port forwarding issues...

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • S
                        Stefoo
                        last edited by

                        I dont completely agree, although this CP has made me confused not once.
                        While forwarding is different case, because connection is established from outside, so CP should not ask devices for rights to respond.
                        Maybe I am wrong.
                        What got me confused was that ping from WAN.
                        Well! Now at least that PEBKAC can sniff and diagnose a bit better ;)

                        1 Reply Last reply Reply Quote 0
                        • DerelictD
                          Derelict LAYER 8 Netgate
                          last edited by

                          That is number 9 of things to check here:

                          https://www.netgate.com/docs/pfsense/nat/port-forward-troubleshooting.html#common-problems

                          When I emphasize check (really check) everything there, this is what I am talking about.

                          It is invariably something on that list.

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • S
                            Stefoo
                            last edited by

                            Hi,
                            Can I ask a bit of hinting about NAT reflection, I guess.
                            The case is ... I got the the forwarding to work ok. I got the DDNS to work with the forwarding ok. My ports are not 1:1, hence I forward 77 to 88.
                            But when I try to connect from the internal network by the domain:port it does not connect.
                            I guess its not connecting since the reflection is connecting to ports 77 while on the internal network services are on 88?
                            I tried to override that by playing with settings, but no luck.
                            So far have no idea what to search for to understand better the case.

                            Thank you again for any comments and ofc your critique.

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              Nat reflection is ALWAYS the worse option to choose.. I don't understand why anyone would ever want to nat reflect..

                              if host.domain.tld is on the same network next to you - then why would you not just resolve host.domain.tld to that IP.. Why would you ever want to go to the public IP to be reflected back in??

                              As to forwarding port X to port Y.. That is always a work around in itself to all to go to the same service with the limitation of napt and only 1 public IP, etc.

                              If you want to go to host.domain.tld:port then go there where host.domain.tld resolves to the local IP and not the public ip..

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.