Default Deny rule getting in the way

jwoodward

Ok, so i've done a fair amount of googling on this issue, but what's come up hasn't been quite with the same issue in mind.  I'm a bit stumped at this point.  The situation is that one of my clients needed a firewall between a Cisco Router (non-asa) and the rest of their network.  It's a very long story and even the TL;DR would be TL.  It works fine for all outbound traffic but they need only 1 port forwarded for VPN but no matter what i do to the NAT/Rule it refuses to allow the connection through

NAT Entry in question
WAN TCP * * * vDB Ports Wechemvdb vDB Ports

And the associated rule it creates:

0 /0 B
IPv4 TCP * * Wechemvdb vDB Ports * none NAT

I have also tried setting the NAT entry to Pass instead of Rule but that didn't fix it either.

Because the WAN interface has a Private IP between the Router and PfSense i have disabled the "Block Private networks" in the WAN settings.

FYI the Aliases are setup just for readability sake.  The port Alias contains TCP 1723 and 3391, RDP being for testing purposes.

The Logs show this:
May 11 17:49:53 WAN 10.0.0.254:11991 10.0.0.1:3389 TCP:S

it is showing this error in the Log:
@5/1000000103 block drop in log inet all label "Default deny rule IPv4"

10.0.0.1 being the WAN interface IP and 10.0.0.254 is the router/My Laptop during testing

I am no stranger to setting up firewall NAT/Rules so the difficulty i've had with this is staggering.  From what i see i'm setting this up wrong, but i've set it like i have any other firewall/NAT rules in the past.
Allow TCP 1723/3391 From any source through firewall.  Translate TCP 1723/3391 traffic from any source to <server destination="">ip address using TCP 1723/3391 ports on <server>.  This isn't anything complicated or odd but it's still kicking it back as if that's wrong

Any help or insight would be provided

Thanks in Advance</server></server>

johnpoz

"The Logs show this:
May 11 17:49:53  WAN  10.0.0.254:11991  10.0.0.1:3389  TCP:S"

"The port Alias contains TCP 1723 and 3391"

Your not hitting the port your wanting to use.. your block is to 3389, but your forward is for 1723 and 3391

jwoodward

yeah sorry that's a mistype, the rules are for RDP port 3389…idk where 3391 came from.  This issue occurred as well with PPTP port as well when selected from the list rather than typing in the number directly.

johnpoz

Why would anyone be running pptp??  It has been deprecated for years!!  it has not been secure for 5 some years.  Pfsense finally even removed the pptp vpn server..Nobody anywhere should be running pptp still.

As to rdp - this is just BAD idea to allow from the internet.  Should be done via a vpn connection.  But if you really want to forward to something, then do so - forwarding will happen before the default deny.

JKnott

Ummm…  The default deny is supposed to be the last rule, only run when all previous rules fail.  If you have a valid rule for what you want, you should never hit default deny.  Also, not having a default deny would let pretty much anything through, unless specifically blocked earlier.

jwoodward

That's the thing about the Default deny rule… it doesn't actually list it.  It's an "implied rule" so i can't move it's position one way or the other so i assume it's always the last on the list.

As for PPTP, yes i'm aware of it's security status.  There are reasons for it that i don't have to explain to people who aren't providing any useful information
As for RDP being open, yes i am also aware of that as well.  I purposefully close it off where ever possible with my clients and if you actually took the time to read and comprehend the words i put in front of you, you would have seen this line "The port Alias contains TCP 1723 and 3391, RDP being for testing purposes."  RDP is open for testing because it's faster to get an obvious fail on RDP than a port scan or VPN handshakes. Not to mention of course the firewall is not in line while this is resolved simply because they need access with the VPN and the router is handling it admirably until this is resolved.

And before you go into "oh but not having a firewall is bad" yes i am aware of that as well that's why i'm trying to INSTALL pfsense and get it setup for them.  I hope we've gotten the obvious shitposting complaints out of the way and can make with real assistance.

Derelict

Post your NAT and firewall rule screen shots. It is pretty much impossible to tell if you are posting a port forward or an outbound NAT. If you are port forwarding it is pretty uncommon for the source address and the dest address to be on what appears to be the same subnet by the time it hits the firewall (NAT should have already occurred and the destination address should be the inside NAT target host address):

The Logs show this:
May 11 17:49:53  WAN  10.0.0.254:11991  10.0.0.1:3389  TCP:S

If you are dealing with all inside traffic, I don't know why you're messing about with NAT at all.

(The default deny is actually first in the list. It does not have quick set so other rules have the opportunity to pass traffic before it actually takes effect. If you want to see the actual rule set, /tmp/rules.debug is always there.)

johnpoz

"people who aren't providing any useful information"

That would be yourself brah ;)

Where are your screenshots of your port forward?  And wan rules… What your saying is just not possible.. Creating the port forward, and then hitting the correct port would not hit the default deny.  So either you didn't hit the port your forward like your example with 3891 and 3889..  Typo in your forward - yeah that would do it..

As Derelict asks - post up screenshots.

jwoodward

Sorry Derelict i guess i wasn't quite as clear as i thought i was in my OP.  Essentially it's going to be double NAT in the end Internet > Router > Firewall > Internal going from public ip to 10.0.0.1/24 between the router and firewall then to 192.168.10.1/24 for internal after the firewall.

Attached are the screens for the forward, NAT, and both Alias pages.

Had to check to see if i was just missing the deny, but first/last/somewhere in the middle, i guess doesn't matter much when it's not listed at all.

Please feel free to mock me a bit more if it was stupidly obvious what i did wrong. I'd expect it since it's the first time i've ever used the pfSense firewall


johnpoz

Your first port forward needs a dest of you wan address.  And what exactly is dest lan address on your port forward suppose to do??

jwoodward

Ah, that was probably changed during the testing i was doing trying to figure out what was going on.  Set the destination to the WAN address.  The Lan address is the server that's handling the RDP/PPTP traffic.

Attempted connection with RDP after the change with my laptop connected to the WAN port.  Directed traffic at the WAN address of the pfSense, failure once again.  Nmap scanned the WAN address, no open ports.

Derelict

Then the destination host:

Has a default gateway set that is not pfSense
  Has a local firewall preventing the traffic

Check (really check) everything on this list:

https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting