Incoming WAN traffic not reaching LAN host

mlaurito

I have a pfsense with WAN and LAN. Everything is working fine except for one thing.

Incoming traffic to my WAN reach my pfSense (i see this in the logs, the traffic is passing) but never reaches my LAN host. I've configured all things necesary to make this work, in fact this same connection IS WORKING when it runs through 5060 UPD port, but other ports nover reach my LAN host.
I have all the rules and nat configured OK.
In my System Logs –> Firewal option i see entries like this:
@104 pass in log quick on xl0 reply-to (xl0 WAN GW IP) inet proto udp from INTERNET IP to LAN HOST IP keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View"

so i verify that the traffic is allowed, BUT NEVER REACHES MY LAN HOST.

I've checked this capturing traffic on my LAN host and seeing that traffic in coming only on 5060 UPD port.

Any ideas?

Thanks in advance and sorry for my english.

Derelict

If it was configured correctly it would be working.

Screenshots of the port forwards and associated firewall rules would probably be best.

https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

mlaurito

@Derelict:

If it was configured correctly it would be working.

Screenshots of the port forwards and associated firewall rules would probably be best.

https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

Thanks for the response.

I understand what you say, but my point is, that the same connection on the port 5060 UDP IS WORKING OK, and i don't have a specific rule for that, so I don't understand why the packets on the other ports are not reaching my internal lan host.

I've made a few more test, i've made a packet capture on the WAN interface of pfSense, and everything seems to be ok on there, i can see the packets going to my lan host.
But when i capture packets on the LAN interface of pfSense, i'm not seeing the packets anymore (only see packets on port 5060 which are reaching my lan host OK, that is odd).

I'ts like packets "inside" pfSense are going nowhere, instead of coming to WAN interface and be redirected through LAN interface to my LAN Host. The strange thing is that all this IT'S WORKING WITH PORT 5060 but not with the rest.

Derelict

If you're not going to post screen shots there is nothing more to do here. Good luck.

mlaurito

@Derelict:

If you're not going to post screen shots there is nothing more to do here. Good luck.

Here are the screen shots of the relevant parts. If you need another one just tell me.
IPLAN is my WAN interface.
IPLAN address = xxx.xxx.29.145 this is mi WAN public ip address.
xxx.xxx.6.162 is a public IP where the traffic is generated. I must accept all traffic coming from this ip.
172.18.xxx.xxx ip of my LAN Host where only the 5060 UDP packets are going.

I added a screen of the system logs, there you can see traffic in port 5060 UDP that IS REACHING OK to 172.18.xxx.xxx, and also you can see traffic in port 50176 (this port is dynamic so i allowed all ports from 1 to 65k as you can see in the others screen) that is NOT REACHING 172.18.xxx.xxx

![port forward.jpg](/public/imported_attachments/1/port forward.jpg)
![port forward.jpg_thumb](/public/imported_attachments/1/port forward.jpg_thumb)

rules.jpg_thumb
![system log.jpg](/public/imported_attachments/1/system log.jpg)
![system log.jpg_thumb](/public/imported_attachments/1/system log.jpg_thumb)

Derelict

If you insist that the traffic is not reaching that host, show a packet capture, not a firewall log.

That is a pretty convoluted way to forward ports. Why don't you just 1:1 NAT instead?

What version of pfSense is that?

mlaurito

@Derelict:

If you insist that the traffic is not reaching that host, show a packet capture, not a firewall log.

That is a pretty convoluted way to forward ports. Why don't you just 1:1 NAT instead?

What version of pfSense is that?

What do you want to see in the packet capture?? I'll try to do another one, but trust me, the traffic is not reaching the host, otherwise i wouldn't be here posting this problem.

I think 1:1 Nat wouldn't work because i have only 1 public wan ip and i should use it for multiple other things.

pfSense 2.1.4-RELEASE version.

Derelict

pfSense 2.1.4-RELEASE version.

OK I am done here. You really should upgrade. That is years old.

mlaurito

@Derelict:

pfSense 2.1.4-RELEASE version.

OK I am done here. You really should upgrade. That is years old.

Ok man, thanks.

That is really your way of helping people out here in the pfSense forums??? So strange…

You can close the thread.

Thanks for nothing.

johnjohn

@mlaurito:

… in fact this same connection IS WORKING when it runs through 5060 UPD port, but other ports nover reach my LAN host.
I have all the rules and nat configured OK.

I would guess that you have a SIP device registered to some external server that is maintaing that port open.