NAT 22 SYN_SENT:CLOSED



  • Dear all,
    sorry for my bad English. I have problem (SYN_SENT:CLOSED) for simple port forward. My pfsense has different IP class for WAN interface (192.168.1.15) and LAN interface (172.22.41.189), LAN is bridge with WAN. My WAN is connected to internet with DSL modem (public ip).

    I want access to a linux pc (SSH protocol), connected to LAN with IP 172.22.41.2, through public ip from remote pc, but does not work (SYN_SENT:CLOSED).  ???

    Please note that the reverse connection (SSH from 172.22.41.2 to remote) pc works perfectly.  :)

    I enabled port forwarding, firewall rules and nat reflection for port range < 500.

    I put following some screenshot.

    Can you help me?

    Very, very thanks in advances!



  • Hi,

    I first recommend doing tcpdump on 172.22.41.2 and confirm that the port 22 is being received. If you don't see any port 22 received then go back to 172.22.41.189 and do the same to confirm port 22 is being forwarded. Basically "SYN_SENT:CLOSED" means that "I have sent SYN but nobody responds to me so I close the session" so that there is something might drop return packet from the 172.22.41.2, or, 172.22.41.2 is not configured for serving ssh ;D

    Ah btw, you won't use TCP/UDP, just TCP is fine for your forwarding config. The same config woks fine on my box, a latest 1.3-AA.

    cheers,



  • Thanks for your reply!
    I used tcpdump on 172.22.41.2 but do not see any input from pfsense or from remote hosts. I tested SSH lan to lan and this works correctly on 172.22.41.2…

    The configuration shown is correct in your opinion? For example: the virtual IP must be set to LAN or WAN interface?

    The LAN IP (172.22.41.189) > of PC IP (172.22.41.2) may create problems?

    The different class of IP between WAN (192.168.1.15) and LAN (172.22.41.189) may be a problem?

    I am becoming stupid...  ???



  • Hi,

    Ooops, I dind't see it…so why is VIP configured? I mean, it is completely normal that WAN/LAN addresses are in different
    network range. I'm not using VIP so may wrong but first backup current config then can you delete VIP config and all the
    rules back to default, then add port forwarding only to see the packets are flowing pfSense and your linux box(172.22.41.2?).

    Turn your box back to factory default, check one by one, one at a time. That's all I can say for now.

    cheers,


Locked