Problems with port forwarding

noratx

Hi!

I got a vmware server where I am running pfsense as a router vm.

I got the following networks:
WAN - IP ..161.121, Virt IP: ..239.148
LAN - IP ..239.145
NAT - IP 192.168.0.1 (DHCP range 192.168.0.10 - 192.168.0.254)

Since I got a /29 network, I have the LAN interface to be able to give some of my VM's a public IP.
The NAT interface is so that I can set up a few VM's without having to waste public IP's.

The outbount NAT is working as it's supposed now, however, the port forwarding is not.
I am trying to RDP in to the vm, but I am getting no response.

The problem is mostly because of the firewall rules, and I am not sure how to set them correct.
How do I set the rules on the WAN side, and respectively on the NAT side?
At the moment, I have tried to set a rule on the WAN side to allow any source to destination 192.168.0.1/24, or any to .-239.148 or any to 192.168.0.10 (Protocol IPv4 *)
On the NAT side, I tried to set source any, port 3389 to 192.168.0.10 port 3389, or even any source, any port, to 192.168.0.10 (protocol IPv4).

Can someone please help me out by giving me an example of how I should properly set the rules.
If possible, I would like to be able to set up, lets say 3 test VMs behind the nat with the following port forwardings:

..239.148:80-> 192.168.0.10:80
..239.148:3389 -> 192.168.0.10:3389
..239.148:81 -> 192.168.0.11:80
..239.148:3390 -> 192.168.0.11:3389
..239.148:82 -> 192.168.0.12:80
..239.148:3391 -> 192.168.0.12:3389

Is this possible, or do I have to change the listening ports on the vm's as well?
No matte what though, I am still not sure how to set the rules.

Thanks in advance
/Rickard

johnpoz

You shouldn't have to create any rules on the wan, out of the box by default when you create a port forward it will auto create your want rule that allows the forward. You might need to move the rule around depending on what rules you already have on the wan that could fire before the rule that allows the traffic.

Your dest on your wan rule would be to your private address your forwarding to. You wouldn't out in a range here, this rule would be specific for your port forward. As I said pfsense will auto create this rule for you.

No you should not have to change the rdp port on the server, since your using different ports in your forward. Common mistake in forgetting the server firewall, windows out of the box is not going to allow access to remote desktop from an IP other than its local network.

On a side note opening up rdp to the public internet rarely if ever something I would call a "good" idea. If you want to remote to these machines - why don't you just vpn in, then access whatever you want. If you want to provide http to public sure, but remote desktop not a good idea imho.

noratx

Thank you for your answer.

No matter what I do though, it refuses to work.

I guess it's hard to help unless you see what the config looks like, so for the sake of it, I made some screenshots:

My WAN interface: https://i.gyazo.com/ad806fcdbaebe10905ea785ee28e1242.png
My LAN interface: https://i.gyazo.com/4133aa7ef23fa8916228cdca70bc0fe2.png
My NAT interface: https://i.gyazo.com/c875da065976604e9fced5cb8520bfee.png

My WAN virtual IP: https://i.gyazo.com/583711612aff28da768ffab682978b8d.png

My Outbound NAT rules: https://i.gyazo.com/8c5b5d0264417e50172e56553928ebf8.png

My Firewall rules on the WAN side: https://i.gyazo.com/44494cf55fb7251ecac926b7ff5d6534.png
My Firewall rules on the LAN side: https://i.gyazo.com/ef4451ad59bf19fa3bbb7556d4ff8b0a.png
My Firewall rules on the NAT side: https://i.gyazo.com/c030471d1f93a278770cb0f1db1e11ff.png

Now, I know this firewall is wide open, I will shut it down later on. For now, it's open for testing purposes.
I find it much easier to make sure all is open and working first, and then add a drop rule (maybe this is the wrong way to go though).

Anyway, No matter how I try, I see no auto created rles when I try to forward a port.

The connections on the WAN <-> LAN sides are working.
I just need to get the WAN <-> NAT connections and port forwardings to work as well.

Also, regarding the comment of leaving RDP ports wide open to the public.. this too will be shut down later on, when I see the connections are working, the source will not be any, but instead a selected few IP's which I am in control over.

johnpoz

"Anyway, No matter how I try, I see no auto created rles when I try to forward a port."

I can not get to your links.. Not sure why people just don't attach..

But anyway as you see.. Creating a port forward more often then not 3 items to check. It defaults to WAN, it defaults to tcp.. You pick your service/port and the IP.. See the bottom where is is set to autocreate the rule. See where I created the forward, and it added the rule to my wan.

portforwardcreate.png_thumb

noratx

sigh

I had missed the most obvious, thank you Johnpoz!

I had missed the "Port Forward" tab under NAT, and simply thought I only needed to add rules in the firewall.
No wonder it didn't work properly!
Thanks!

johnpoz

NP, glad you got it sorted. Chalk yet another Port Forwarding problem to PEBKAC ;) In the whole time I have been here, I don't think I have actually seen a problem that was not PEBKAC… So don't feel bad, your not the only one that has issues with something that should take like 2.3 seconds..

As I posted, many port forwards are just clickly clicky worky worky.. If it doesn't your doing something wrong, wrong port, wrong IP, traffic not even getting to pfsense, software firewall on the place your forwarding too, etc.

The troubleshooting doc touches on all the common mistakes/issues, and points to how to find the source of the problem quite quickly when the clickly doesn't work.

https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting