Port Forwarding works for some ports, not for others

mckoz

Normal apologies up front for ignorance.  Anyway, I have about 10 port forwards on a public IP address, and three of them refuse to work.  I'm just switching from Astaro over to pfsense, and I've googled, searched the forum, read the docs and for some reason can't find the answer.  Any help is GREATLY appreciated.  The images show the nat and firewall rules page and have the broken ones marked with red x.

GruensFroeschli

How did you test that they're not working?
Could it be a firewall on the devices itself?

I see you enabled logging for the first two rules.
Anything in the log?
Have you tried setting the protocol to any? (maybe the wrong protocol in the rule?)

You could try to capture the traffic behind and before the pfSense with wireshark to see if the traffic actually gets to pfSense and exits on the LAN side.

mckoz

How did you test that they're not working?  Could it be a firewall on the devices itself?

These are the same rules I had on Astaro, and had been working before (made the switch four days ago), and in addition I use them consistently when I'm on the LAN.

I see you enabled logging for the first two rules.Anything in the log?
Looks like it blocked the traffic on this one:

VMware Infrastructure Client uses TCP 902 and the firewall sees it as: 
Act        Time          If          Source                  Destination          Proto
Sep 25    15:28:14  WAN  72.10.29.47:32893  66.15.106.172:443  TCP

Have you tried setting the protocol to any? (maybe the wrong protocol in the rule?)  Yes, once.

You could try to capture the traffic behind and before the pfSense with wireshark to see if the traffic actually gets to pfSense and exits on the LAN side.

I am unfamiliar with wireshark, can you provide a pointer?

Thank you for your assistance!

psylo

@mckoz:

You could try to capture the traffic behind and before the pfSense with wireshark to see if the traffic actually gets to pfSense and exits on the LAN side.

I am unfamiliar with wireshark, can you provide a pointer?

Thank you for your assistance!

Well… What you can do is:

1. use the command tcpdump in a a SSH console (in the "real" console - You can find manpage on the Web). Then you get back the trace if you choose to save them in a file with an SFTP client (winscp for example) and you take a look at them... It's the toughest way...
2. Now the easiest way. You can plug a hub in front of the pfsense and plug your laptop on it. Then launch Wireshark... After this, plug the hub between the pfSense and the LAN and use Wireshark...
   Step 1: WAN --- HUB --- pfSense --- LAN --- SRV
                           |
                       LAPTOP

Step 2: WAN --- pfSense --- HUB --- LAN --- SRV
                                          |
                                      LAPTOP

Hope this helps.

mckoz

Thank you for the layout, in the mean time:

Figured it out, evidently VMware infrastructure WON'T work on a NAT'd port forward!  So in order to make it work I either have to build a VPN, or give up an external IP (yuck!), unless someone has a bright idea.

mckoz