• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

no port forward into vlan

Scheduled Pinned Locked Moved NAT
8 Posts 4 Posters 700 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    CvH
    last edited by Mar 20, 2019, 11:13 AM

    Hello,
    I am unable to do a working port forward.

    My Setup
    44f117d8-c26b-4360-bcf5-4b674af3d71e-grafik.png

    Testwise I would like to do a ssh port 22 forward to some IP address.

    firewall rule
    cf356838-bb46-4887-82d1-f759b6d56fc1-grafik.png

    NAT rule
    d9012bcd-b8ed-496f-a8cf-891a2d51002b-grafik.png

    Diagnostics/States/States
    cfe4fff2-d14e-4677-882c-9b21099acc33-grafik.png

    I already looked through the "Port Forward Troubleshooting" guide and from my perspective everything looks working (I am no expert :) ).

    Its not just port 22, I tried already other ports and there are the same problems. We have besides that rules nothing that should conflict with that rules and a rather basic setup besides the different vlans. Otherwise everything else looks working just I can't open any port that is behind the pfsense (opening a port to the pfsense works).
    Opening the ssh connection from the pfsense box works too.

    I have sadly no idea where I should look at at the moment. Maybe its some trivial change needed.

    Any help or pointer would be great, if you need some log etc ... pls ask.

    best regards

    1 Reply Last reply Reply Quote 0
    • V
      viragomann
      last edited by Mar 20, 2019, 5:25 PM

      Your network map doesn't show the VLANs, so it is not possible to say if the interface you've added the NAT rule to is correct.
      However, you have to state a unique destination IP which should be forwarded.

      C 1 Reply Last reply Mar 20, 2019, 6:37 PM Reply Quote 0
      • N
        NogBadTheBad
        last edited by Mar 20, 2019, 5:57 PM

        It would help if you could get rid of the double nat that will occur.

        Can you put the non pfSense router into modem mode.

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        1 Reply Last reply Reply Quote 0
        • C
          CvH @viragomann
          last edited by CvH Mar 20, 2019, 6:40 PM Mar 20, 2019, 6:37 PM

          @viragomann said in no port forward into vlan:

          our network map doesn't show the VLANs

          10.24.10.xx -> VLAN10
          10.24.20.xx -> VLAN20
          ...

          @viragomann said in no port forward into vlan:

          However, you have to state a unique destination IP which should be forwarded.

          isn't it done due that ?
          c0bb529b-5a5f-440e-8a0a-741d4cfbd9d1-image.png

          @NogBadTheBad said in no port forward into vlan:

          It would help if you could get rid of the double nat that will occur.

          This is sadly not possible at all, I have no access to that box at all (some vendor crap) but the same setup is reported working properly so I can guess at least it works. Like said creating an port forward to the pfense box works like a charm.

          I can only phone the vendor and ask for stuff that get changed then, I never saw the interface at all so I can only suspect what is done here. If you have an idea what might break it I can ask the vendor if they have set some setting etc that might have an negative impact. Maybe the router doing some nasty stuff, I can't rule that out but thats like a dark hole for me so I would at least rule out that I am doing some obvious mistake at the pfsense settings.

          V 1 Reply Last reply Mar 20, 2019, 8:47 PM Reply Quote 0
          • V
            viragomann @CvH
            last edited by Mar 20, 2019, 8:47 PM

            @CvH said in no port forward into vlan:

            isn't it done due that ?

            No, the destination address in the NAT rule is "any".
            1553106825649-c0bb529b-5a5f-440e-8a0a-741d4cfbd9d1-image.png
            You may state the interface address here.

            Another possible reason could be the system firewall on the destination device. Are you sure it is accepting connections from public source IPs?

            C 1 Reply Last reply Mar 21, 2019, 9:11 AM Reply Quote 0
            • D
              Derelict LAYER 8 Netgate
              last edited by Mar 21, 2019, 1:13 AM

              6c44ce59-0825-4abe-89b6-17f3b62950b0-image.png

              It's right there. 10.24.20.188 is not responding to TCP SYNs from 123.123.123.123

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • C
                CvH @viragomann
                last edited by Mar 21, 2019, 9:11 AM

                @viragomann said in no port forward into vlan:

                No, the destination address in the NAT rule is "any".

                I changed Dest. Address to VLAN10 address and at least I get some sign of life at my box.

                root@10.24.20.188:~# tcpdump -n | grep "\.22:" | grep "123.123.123.123"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:50:51.536233 IP 123.123.123.123.44176 > 10.24.20.188.22: Flags [S], seq 334815397, win 29200, options [mss 1452,sackOK,TS val 775081881 ecr 0,nop,wscale 7], length 0
09:50:52.558410 IP 123.123.123.123.44176 > 10.24.20.188.22: Flags [S], seq 334815397, win 29200, options [mss 1452,sackOK,TS val 775082904 ecr 0,nop,wscale 7], length 0

                @viragomann said in no port forward into vlan:

                Are you sure it is accepting connections from public source IPs?
                yes, tried also a different box that is for sure not "limited"

                @Derelict said in no port forward into vlan:

                It's right there. 10.24.20.188 is not responding to TCP SYNs from 123.123.123.123

                is it possible that I have now correctly setup the Internet -> my Box way and now "something" is blocking the my Box -> Internet route ?

                my current setup
                Firewall rules
                bb67bd6f-25ac-4a99-94bd-667b125cbac9-grafik.png

                NAT rules
                e474a3d3-c9e9-477e-8b71-538c4e06cb1e-grafik.png

                1 Reply Last reply Reply Quote 0
                • C
                  CvH
                  last edited by Mar 21, 2019, 9:52 AM

                  gosh found the problem for that :)
                  i used the wrong gateway, so changing Dest. Address to VLAN10 address did it for me
                  thank you very much

                  ps can't edit the post above due spam detection 😌

                  1 Reply Last reply Reply Quote 0
                  7 out of 8
                  • First post
                    7/8
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received