Port forwarding not working with private IP server



  • Hi,

    I am trying to setup port forwarding to a DMZ server, which is on a private IP.

    I have setup a port forwarding rule like so:

    Interface - OPT1 (Squid reverse proxy NIC)
    Dest Address - IP of a NIC dedicated to the Squid reverse proxy
    Protocol - TCP
    Source Port - *
    Source Address - *
    Dest Ports - 3389 (RDP is enabled on the server and no windows firewall in the way)
    NAT IP - IP of the server

    However, RDP does not go through. Is there anything I'm missing? I've also opened up traffic to the port on the DMZ NIC. The port forwarding should forward traffic from the OPT1 NIC, which is a public IP, to the DMZ network.



  • You didn't mention the Redirect target port, which should be set for 3389 also. Other than that, verify you can rdp locally. If that works, try external and watch the firewall for blocks/states from the IP you are connecting from.



  • @dotdash:

    You didn't mention the Redirect target port, which should be set for 3389 also. Other than that, verify you can rdp locally. If that works, try external and watch the firewall for blocks/states from the IP you are connecting from.

    The redirect target port is also 3389.

    I can RDP locally. I don't see any traffic on the firewall rule though? Which is strange?


  • Rebel Alliance Global Moderator

    You prob see no traffic because the traffic is never getting to pfsense

    Post up your port forward and your runs on this wan interface your traffic is hitting.

    Did you go through he troubleshooting guide
    https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting



  • Ok so the port forwarding rule is above, in my first post. That seems correct to me?

    I see on the logs now a status of: TIME_WAIT:TIME_WAIT

    I'm not sure why this is, however?


  • Rebel Alliance Global Moderator

    dude post up your wan rules and your port forwards,  Its real simple  - look I will post mine..

    And again I will ask did you go through the doc?  Finding the problem in a port forward is really couple of minutes of troubleshooting tops.. Take a packet capture did you syn go out to your box, did you get a syn,ack back…




  • Might be worth checking to see that your RDP target has the correct route back out through the firewall. Otherwise your return traffic won't get out.

    As suggested, post a screenshot (screenshot - not ascii) of your external rules and port forwarding rules.



  • Hi All,

    Attached are screenshots of my configuration.

    "Might be worth checking to see that your RDP target has the correct route back out through the firewall. Otherwise your return traffic won't get out."

    How could I check this?





  • Rebel Alliance Global Moderator

    Dude show us ALL the freaking rules.. What are thinking your hiding.. Can not tell if you have stuff above those firewall rules that mess it up..

    But it looks fine other than its on opt1 which not sure how that is setup for your wan.. So you have multiple wan connections??  What is your actual wan, and why does this come in on opt1?

    As to how to check what your gateway is on your OS??  Really??  So you want to run a box behind a firewall that your forwarding traffic to and you don't even know how to check what gateway a box is pointing too??

    Post your ipconfig /all



  • This one's all yours JP. If I wanted to do anything as difficult as pulling teeth I'd have gone to the dentist.


  • Rebel Alliance Global Moderator

    Yeah pulling teeth is not all that hard, its when you have to do with a piece of string and some twigs is when its gets difficult ;)

    Love to help this guy, but just can not make out what he is trying to do exactly.  Is there 2 wan connections?  Is the reverse proxy running on pfsense, is it behind pfsense and that is where he is wanting to rdp too?

    TIME_WAIT:TIME_WAIT

    Sure and the hell is not in the "logs" state table ok ;)  Which state is that, the state from pfsense to his box behind pfsense, the wan side state?  Why is this traffic coming in opt1 and not pfsense normal wan, is that opt1 another internet connection, an internal network?

    Sometimes you have to build a mnemonic memory circuit with stoneknives and bearskins around here ;)



  • I replied but not sure why it didn't show.

    So the servers use NAT to get out to the internet. No proxies. The gateway is the lan IP of the same pfsense box I am configuring PFSense on.

    On the same box is the squid reverse proxy. As that allows a choice of the NIC used, I chose a dedicated NIC for the traffic. For my purpose, i've now reverted to the WAN NIC.

    I've attached all screenshots now.

    Thanks all!










  • I'm going to stick my head above the parapet one more time on this and mention a couple of observations. Your RDP port forward is almost correct, with the exception being the destination address in your NAT rule - the destination should be WAN address, not the LAN network. From what I can see, this ought to sort out the RDP forwarding, though you might want to consider changing the source address from 'any' to a particular network you want to allow such access from.

    Your rulesets are pretty confusing. For instance, you have a comment next to a port 143 allow rule which reads "allow outgoing http", even though it's IMAP and is an incoming rule. Your IMAP rule is set to only allow connctions from your WAN network, meaning just those hosts which exist on the WAN subnet itself (I don't know if this is really correct as I don't know your setup). I get the impression that some of these rules you've got have grown organically over time through trial and error. You should consider reviewing these thoroughly and tidying them up - possibly start from scratch, planning out what services you need to have running from LAN and WAN and re-implementing them.


  • Netgate



  • Ok so I cleared up the rules and made the fix mentioned above with the port forwarding rule but still no luck.

    Just to add, I use ESXi 6. Does that matter at all?


  • Netgate

    How about you post what you have now?


  • Rebel Alliance Global Moderator

    I run pfsense on esxi 6, no it really should have nothing to do with anything if you have it setup correctly.  But if your doing something odd then yeah could have a impact.

    So that box you showed ipconfig /all for is another vm on this same esxi host?  How do you have your networking setup in esxi?  Are you other opt interfaces on different vswitches or port groups?

    Still not understanding what your opt networks are - are they other local networks.. I got the impression that opt1 was another internet connection?

    Posting your esxi network configuration sure wouldn't hurt.. So you can seem mine attached.  I have multiple OPT interfaces in pfsense.. One is called wlan in my setup, and as you can see its tied to a different vswitch which it connected to a different physical interface on the esxi host that is on a different vlan in the real world and also I run vlan tagged networks over that same interface.

    In this setup you will see vmnic3 or my wan that physical nic from the esxi host connects direct to my cable modem.  This gives pfsense the public IP on is wan interface.  The top phy nic is connected to the vmkern vswitch which I have on its own vswitch and own phy nic because seems that when vmkern shares same physical interface with what you would use as your normal lan there is a performance hit moving files to and from the datastore and I had nic not using so set it for vmkern.

    The other 2 phy nics are connected to vlan switch.  And then the last one is just for vms and not actually physically connected to real world network.  All access to and from real world and internet go through the pfsense vm.




  • Hi john / all

    I restarted pfsense and all working now! Back to loving pfsense :)

    Thanks all!