no port forward into vlan
-
Hello,
I am unable to do a working port forward.My Setup
Testwise I would like to do a ssh port 22 forward to some IP address.
firewall rule
NAT rule
Diagnostics/States/States
I already looked through the "Port Forward Troubleshooting" guide and from my perspective everything looks working (I am no expert :) ).
Its not just port 22, I tried already other ports and there are the same problems. We have besides that rules nothing that should conflict with that rules and a rather basic setup besides the different vlans. Otherwise everything else looks working just I can't open any port that is behind the pfsense (opening a port to the pfsense works).
Opening the ssh connection from the pfsense box works too.I have sadly no idea where I should look at at the moment. Maybe its some trivial change needed.
Any help or pointer would be great, if you need some log etc ... pls ask.
best regards
-
Your network map doesn't show the VLANs, so it is not possible to say if the interface you've added the NAT rule to is correct.
However, you have to state a unique destination IP which should be forwarded. -
It would help if you could get rid of the double nat that will occur.
Can you put the non pfSense router into modem mode.
-
@viragomann said in no port forward into vlan:
our network map doesn't show the VLANs
10.24.10.xx -> VLAN10
10.24.20.xx -> VLAN20
...@viragomann said in no port forward into vlan:
However, you have to state a unique destination IP which should be forwarded.
isn't it done due that ?
@NogBadTheBad said in no port forward into vlan:
It would help if you could get rid of the double nat that will occur.
This is sadly not possible at all, I have no access to that box at all (some vendor crap) but the same setup is reported working properly so I can guess at least it works. Like said creating an port forward to the pfense box works like a charm.
I can only phone the vendor and ask for stuff that get changed then, I never saw the interface at all so I can only suspect what is done here. If you have an idea what might break it I can ask the vendor if they have set some setting etc that might have an negative impact. Maybe the router doing some nasty stuff, I can't rule that out but thats like a dark hole for me so I would at least rule out that I am doing some obvious mistake at the pfsense settings.
-
@CvH said in no port forward into vlan:
isn't it done due that ?
No, the destination address in the NAT rule is "any".
You may state the interface address here.Another possible reason could be the system firewall on the destination device. Are you sure it is accepting connections from public source IPs?
-
It's right there. 10.24.20.188 is not responding to TCP SYNs from 123.123.123.123
-
@viragomann said in no port forward into vlan:
No, the destination address in the NAT rule is "any".
I changed
Dest. Address
toVLAN10 address
and at least I get some sign of life at my box.root@10.24.20.188:~# tcpdump -n | grep "\.22:" | grep "123.123.123.123" tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 09:50:51.536233 IP 123.123.123.123.44176 > 10.24.20.188.22: Flags [S], seq 334815397, win 29200, options [mss 1452,sackOK,TS val 775081881 ecr 0,nop,wscale 7], length 0 09:50:52.558410 IP 123.123.123.123.44176 > 10.24.20.188.22: Flags [S], seq 334815397, win 29200, options [mss 1452,sackOK,TS val 775082904 ecr 0,nop,wscale 7], length 0
@viragomann said in no port forward into vlan:
Are you sure it is accepting connections from public source IPs?
yes, tried also a different box that is for sure not "limited"@Derelict said in no port forward into vlan:
It's right there. 10.24.20.188 is not responding to TCP SYNs from 123.123.123.123
is it possible that I have now correctly setup the
Internet -> my Box
way and now "something" is blocking themy Box -> Internet
route ?my current setup
Firewall rules
NAT rules
-
gosh found the problem for that :)
i used the wrong gateway, so changingDest. Address
toVLAN10 address
did it for me
thank you very muchps can't edit the post above due spam detection