Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Problems with port forwarding

    Scheduled Pinned Locked Moved NAT
    6 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      noratx
      last edited by

      Hi!

      I got a vmware server where I am running pfsense as a router vm.

      I got the following networks:
      WAN - IP ..161.121, Virt IP: ..239.148
      LAN - IP ..239.145
      NAT - IP 192.168.0.1 (DHCP range 192.168.0.10 - 192.168.0.254)

      Since I got a /29 network, I have the LAN interface to be able to give some of my VM's a public IP.
      The NAT interface is so that I can set up a few VM's without having to waste public IP's.

      The outbount NAT is working as it's supposed now, however, the port forwarding is not.
      I am trying to RDP in to the vm, but I am getting no response.

      The problem is mostly because of the firewall rules, and I am not sure how to set them correct.
      How do I set the rules on the WAN side, and respectively on the NAT side?
      At the moment, I have tried to set a rule on the WAN side to allow any source to destination 192.168.0.1/24, or any to .-239.148 or any to 192.168.0.10 (Protocol IPv4 *)
      On the NAT side, I tried to set source any, port 3389 to 192.168.0.10 port 3389, or even any source, any port, to 192.168.0.10 (protocol IPv4).

      Can someone please help me out by giving me an example of how I should properly set the rules.
      If possible, I would like to be able to set up, lets say 3 test VMs behind the nat with the following port forwardings:

      ..239.148:80-> 192.168.0.10:80
      ..239.148:3389 -> 192.168.0.10:3389
      ..239.148:81 -> 192.168.0.11:80
      ..239.148:3390 -> 192.168.0.11:3389
      ..239.148:82 -> 192.168.0.12:80
      ..239.148:3391 -> 192.168.0.12:3389

      Is this possible, or do I have to change the listening ports on the vm's as well?
      No matte what though, I am still not sure how to set the rules.

      Thanks in advance
      /Rickard

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        You shouldn't have to create any rules on the wan, out of the box by default when you create a port forward it will auto create your want rule that allows the forward.  You might need to move the rule around depending on what rules you already have on the wan that could fire before the rule that allows the traffic.

        Your dest on your wan rule would be to your private address your forwarding to.  You wouldn't out in a range here, this rule would be specific for your port forward.  As I said pfsense will auto create this rule for you.

        No you should not have to change the rdp port on the server, since your using different ports in your forward.  Common mistake in forgetting the server firewall, windows out of the box is not going to allow access to remote desktop from an IP other than its local network.

        On a side note opening up rdp to the public internet rarely if ever something I would call a "good" idea.  If you want to remote to these machines - why don't you just vpn in, then access whatever you want.  If you want to provide http to public sure, but remote desktop not a good idea imho.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • N
          noratx
          last edited by

          Thank you for your answer.

          No matter what I do though, it refuses to work.

          I guess it's hard to help unless you see what the config looks like, so for the sake of it, I made some screenshots:

          My WAN interface: https://i.gyazo.com/ad806fcdbaebe10905ea785ee28e1242.png
          My LAN interface: https://i.gyazo.com/4133aa7ef23fa8916228cdca70bc0fe2.png
          My NAT interface: https://i.gyazo.com/c875da065976604e9fced5cb8520bfee.png

          My WAN virtual IP: https://i.gyazo.com/583711612aff28da768ffab682978b8d.png

          My Outbound NAT rules: https://i.gyazo.com/8c5b5d0264417e50172e56553928ebf8.png

          My Firewall rules on the WAN side: https://i.gyazo.com/44494cf55fb7251ecac926b7ff5d6534.png
          My Firewall rules on the LAN side: https://i.gyazo.com/ef4451ad59bf19fa3bbb7556d4ff8b0a.png
          My Firewall rules on the NAT side: https://i.gyazo.com/c030471d1f93a278770cb0f1db1e11ff.png

          Now, I know this firewall is wide open, I will shut it down later on. For now, it's open for testing purposes.
          I find it much easier to make sure all is open and working first, and then add a drop rule (maybe this is the wrong way to go though).

          Anyway, No matter how I try, I see no auto created rles when I try to forward a port.

          The connections on the WAN <-> LAN sides are working.
          I just need to get the WAN <-> NAT connections and port forwardings to work as well.

          Also, regarding the comment of leaving RDP ports wide open to the public.. this too will be shut down later on, when I see the connections are working, the source will not be any, but instead a selected few IP's which I am in control over.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            "Anyway, No matter how I try, I see no auto created rles when I try to forward a port."

            I can not get to your links.. Not sure why people just don't attach..

            But anyway as you see.. Creating a port forward more often then not 3 items to check.  It defaults to WAN, it defaults to tcp.. You pick your service/port and the IP.. See the bottom where is is set to autocreate the rule.  See where I created the forward, and it added the rule to my wan.

            portforwardcreate.png
            portforwardcreate.png_thumb

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • N
              noratx
              last edited by

              sigh

              I had missed the most obvious, thank you Johnpoz!

              I had missed the "Port Forward" tab under NAT, and simply thought I only needed to add rules in the firewall.
              No wonder it didn't work properly!
              Thanks!

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                NP, glad you got it sorted.  Chalk yet another Port Forwarding problem to PEBKAC ;)  In the whole time I have been here, I don't think I have actually seen a problem that was not PEBKAC… So don't feel bad, your not the only one that has issues with something that should take like 2.3 seconds..

                As I posted, many port forwards are just clickly clicky worky worky.. If it doesn't your doing something wrong, wrong port, wrong IP, traffic not even getting to pfsense, software firewall on the place your forwarding too, etc.

                The troubleshooting doc touches on all the common mistakes/issues, and points to how to find the source of the problem quite quickly when the clickly doesn't work.

                https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.