Forwarding and ping from WAN dont work. (SOLVED)

Stefoo

!!! This is again of those cases where something is tripping !!!
Yes, I am testing only from outside.
Here is my packet capture

On WAN
4:57:58.011987 IP 185.12.24.42.62203 > 57.237.109.180.8007: tcp 0
14:58:01.731203 IP 185.12.24.42.62219 > 57.237.109.180.8007: tcp 0
14:58:01.985091 IP 185.12.24.42.62224 > 57.237.109.180.8007: tcp 0

On LAN
14:54:13.272152 IP 185.12.24.42.61019 > 192.168.100.7.80: tcp 0
14:54:13.272415 IP 192.168.100.7.80 > 185.12.24.42.61019: tcp 0
14:54:13.527480 IP 185.12.24.42.61028 > 192.168.100.7.80: tcp 0

I used www.yougetsignal.com/tools/open-ports/ to check my open ports. It says port 8007 is not open, while I have those rules:
0_1538654517239_Screen Shot 2018-10-04 at 15.00.12.png 0_1538654527811_Screen Shot 2018-10-04 at 15.00.43.png

johnpoz

@stefoo said in Forwarding and ping from WAN dont work.:

14:54:13.272415 IP 192.168.100.7.80 > 185.12.24.42.61019: tcp 0

Your box your forwarding too clearly sends a response - what is this response? Is it a RST? Did that actually go back to pfsense IP (mac address?) open that sniff in wireshark

BTW your rules are WRONG... Just let your port forward create the rules...

They should look like this..

Why do you have that 8007 rule to any in there?

Stefoo

I added that rule just in case, otherwise I leave NAT create its rules.
I have a question. If a port is forwarded than is it closed? Because port open checker is reporting that port is closed while when sniffing when checker connects its obvious traffic gets trough.
@johnpoz I guess its not RST. Sorry, I am not good in reading captured packets.
WireShark on WAN
0_1538677054697_Screen Shot 2018-10-04 at 21.01.42.png

WhireShark on LAN
0_1538677146110_Screen Shot 2018-10-04 at 21.18.26.png

johnpoz

So from that your seeing syn,ack which is the proper answer to a syn - but its not going back out your wan..

Your taking those sniffs on pfsense lan interface.. And its sending it to pfsense lan mac - from that arp I assume pfsense lan IP is 192.168.100.1 with mac address 00:10:dc:20:a0:87

Do you have more than 1 wan? What are you rules on your lan? Are you using any sort of captive portal on the lan side?

What do you have for outbound nat?

Does this clients internet work? Can it go through pfsense for internet and that works? When you sniffed on wan did you limit that to IP or something. You sure pfsense not sending that traffic back out to your outside IP but didn't nat it - ie sending it out with the 192.168.100.7 address?

Stefoo

This post is deleted!

Stefoo

IT WAS CAPTIVE PORTAL BLOCKING DEVICE TO WAN.

@johnpoz Next time I will take 3 beers. One is for you.
Thanks for helping.

johnpoz

And PEBKAC strikes again ;) This is the root cause of all port forwarding issues...

Stefoo

I dont completely agree, although this CP has made me confused not once.
While forwarding is different case, because connection is established from outside, so CP should not ask devices for rights to respond.
Maybe I am wrong.
What got me confused was that ping from WAN.
Well! Now at least that PEBKAC can sniff and diagnose a bit better ;)

Derelict

That is number 9 of things to check here:

https://www.netgate.com/docs/pfsense/nat/port-forward-troubleshooting.html#common-problems

When I emphasize check (really check) everything there, this is what I am talking about.

It is invariably something on that list.

Stefoo

Hi,
Can I ask a bit of hinting about NAT reflection, I guess.
The case is ... I got the the forwarding to work ok. I got the DDNS to work with the forwarding ok. My ports are not 1:1, hence I forward 77 to 88.
But when I try to connect from the internal network by the domain:port it does not connect.
I guess its not connecting since the reflection is connecting to ports 77 while on the internal network services are on 88?
I tried to override that by playing with settings, but no luck.
So far have no idea what to search for to understand better the case.

Thank you again for any comments and ofc your critique.

johnpoz

Nat reflection is ALWAYS the worse option to choose.. I don't understand why anyone would ever want to nat reflect..

if host.domain.tld is on the same network next to you - then why would you not just resolve host.domain.tld to that IP.. Why would you ever want to go to the public IP to be reflected back in??

As to forwarding port X to port Y.. That is always a work around in itself to all to go to the same service with the limitation of napt and only 1 public IP, etc.

If you want to go to host.domain.tld:port then go there where host.domain.tld resolves to the local IP and not the public ip..