Port forwarding - what am I doing wrong?

ColinJack

This should be a very straight forward job ... but I must have something wrong because it isn't working!
I want to be able to use a non-standard port (589) for incoming SMTP connections to an internal server listening on port 25.

I am sure I am being thick but .... I can't see what I am missing.
I have dozens of standard port forwarding working (80 <> 80 etc.)
Source and source port are set to any.

Thanks

Colin

SteveITS

Is the port internalserver:25 open in that server's firewall?
Is the associated firewall rule correct? (it should update automatically, but...)

ColinJack

Yes - port 25 is accepting mail on the internal server. This is how it is currently working.
I want to change this to a non-standard port to reduce spam. We are forwarding from a seperate external spamfilter.
I checked the associated rule (just in case) and it looks fine:

This should be simple ... but for some reason it won't work.

Colin

chpalmer

External servers such as mine would never look for your server on that port.. But I suppose that is your goal. Then what have you done on the other side to make your intended incoming servers look for that port?

Do a packet capture and see if it is even getting to you.

SteveITS

@colinjack Did you try to delete and recreate the NAT forward? The only thing you've obscured is the public IP you're connecting to, but if one assumes that's correct then I am not seeing anything wrong.

ColinJack

@teamits said in Port forwarding - what am I doing wrong?:

@colinjack Did you try to delete and recreate the NAT forward? The only thing you've obscured is the public IP you're connecting to, but if one assumes that's correct then I am not seeing anything wrong.

Yes - done that twice. Not a lot to get wrong really.
Have now set up an identical rule to a non-production server to test but same result.
Strange. I am not a complete firewall noob so thought this would be a simple job! :)
Thanks for checking ... I will now go and bang my head on the desk.

ColinJack

@chpalmer said in Port forwarding - what am I doing wrong?:

External servers such as mine would never look for your server on that port.. But I suppose that is your goal. Then what have you done on the other side to make your intended incoming servers look for that port?

Do a packet capture and see if it is even getting to you.

That is exactly the reason I am doing this.
MX records for mail on that that server point to an external spam filter which then forwards on the 'new' port. I am testing using telnet.

johnpoz

In your port forward the dest would be the wan address... Is that some vip you setup or something with server 6?

You are correct this is drop dead simple... It should take 2 seconds to create a port forward... If its not working then run through the guide to figure out where your issue is..

A sniff on your wan interface will tell you if the traffic is getting there - if it doesn't get there then pfsense can not do anything.. So your problem is upstream.. If it gets there does it get sent to the correct lan side IP... Does that lan side device use pfsense as its gateway? Is it running a firewall, etc.
https://www.netgate.com/docs/pfsense/nat/port-forward-troubleshooting.html

ColinJack

@johnpoz said in Port forwarding - what am I doing wrong?:

In your port forward the dest would be the wan address... Is that some vip you setup or something with server 6?

You are correct this is drop dead simple... It should take 2 seconds to create a port forward... If its not working then run through the guide to figure out where your issue is..

A sniff on your wan interface will tell you if the traffic is getting there - if it doesn't get there then pfsense can not do anything.. So your problem is upstream.. If it gets there does it get sent to the correct lan side IP... Does that lan side device use pfsense as its gateway? Is it running a firewall, etc.
https://www.netgate.com/docs/pfsense/nat/port-forward-troubleshooting.html

Server 6 is mapped to a global IP using virtual ip. I can connect on port 25 no problem using telnet (exisitng port forward), so I know that that all works. It is just connecting to 586 that doesn't ... it is if the NAT isn't translating correctly.

Basically you are checking if it is setup correctly - but that is all working.
I can connect from outside on port 25 no problem ... so all the usual suspects (gateway etc.) are fine. All I am wanting to do is change the incoming port from 25 to 589 for email.

It is getting to the WAN interface okay:

18:53:41.787016 IP 91.135.23.121.13900 > 208.67.249.242.589: tcp 0
18:53:41.787442 IP 208.67.249.242.589 > 91.135.23.121.13900: tcp 0

johnpoz

Looks like you got an answer.. was that a RST?

since you posted your IP I sent a syn to 589 and yeah get back RST!!!

So in layman terms thats a Fuck Off ;) Pfsense would not do that.. So much be where your sending it too... Since on the lan side..

ColinJack

@johnpoz said in Port forwarding - what am I doing wrong?:

Looks like you got an answer.. was that a RST?

since you posted your IP I sent a syn to 589 and yeah get back RST!!!

So in layman terms thats a Fuck Off ;) Pfsense would not do that.. So much be where your sending it too... Since on the lan side..

Okay - but if I telnet on port 25 it connects okay.
Does that maybe mean that it is trying to connect on the LAN server on 589 rather than 25?
i.e. not translating?
It is a Centos box ... where can I look in the logs to find that? Nothing in messages.
Thanks for the help.

ColinJack

@johnpoz Thanks - sorted!

I have a bunch of ports that are included as a single port alias and one rule is used to port forward ... and that bunch included 25.
Removed port 25 and hey presto.

@johnpoz letting me know where it was being bounced from helped. Thanks.