Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Security problem after unstable NAT

    Scheduled Pinned Locked Moved NAT
    7 Posts 3 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pixeltofu
      last edited by

      Hi

      I have encountered a bug which introduced a security problem.
      pfsense access over WAN is disabled. Below you can find my NAT and firewall settings.
      Pfsense reboots every morning. Now what happens is that 50% of the time I get the SSH of pfsense instead of box 10.0.0.107!
      So the pFsense is then open to the world wide web! If he did this at boot, all other NAS port forwards fail too.
      Now to "solve" it, I just need to open Firewall > NAT, and then ALL of them work!
      10.0.0.107 is online 24h/7h.

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        That's allowed because you have a bunch of unnecessary rules. For SSH in particular, "SSH to Nova" rule with destination "any" is wrong. The one with the 10.x IP destination is correct.

        1 Reply Last reply Reply Quote 0
        • P
          pixeltofu
          last edited by

          Hi

          I removed the wildcards and I changed the shutdown script to a shutdown -p now and now all ports are blocked again some days (not all days).
          The days they are blocked, it shows in the Firewall log? So they are blocked because the destination is my WAN address?
          What extra rule do I need?

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            why do you have 2 threads running about the same thing?
            https://forum.pfsense.org/index.php?topic=113567.0

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • P
              pixeltofu
              last edited by

              Because they were two different problems: one being the NAT forwarding not always working and the other one the NAT ports ending on pfsense itself instead of the other server (security).

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                huh they sure seem like the same thing to me..  I your nat rules are not working then those firewall rules would never work because the traffic wouldn't match your rule.  The nat is what allows the firewall rule to allow the traffic in.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • P
                  pixeltofu
                  last edited by

                  Ok, you're right. I will keep them in one topic for future problems. I don't think I can merge them myself.
                  Any idea how I can solve the NAT problem?

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.