Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Unable to configure NAT forwarding rule correctly

    NAT
    2
    9
    616
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      analbeard last edited by

      I'm unable to get traffic to NAT correctly through to an internal IP behind my firewall. I've attached a screenshot of the relevant NAT rule and below are the troubleshooting/diagnostic steps I've carried out. I've also been through the port forward troubleshooting page and as far as I'm concerned I've set everything up correctly.

      Testing from a remote location:

      
      $ telnet test.domain.com 30000
      Trying 86.x.x.x...
      telnet: connect to address 86.x.x.x: Connection refused
      
      

      Packet capture shows inbound traffic:

      
      05:37:43.325238 IP 77.x.x.x.51193 > 86.x.x.x.32401: tcp 0
      05:37:43.325328 IP 77.x.x.x.51192 > 86.x.x.x.32401: tcp 0
      05:37:43.567784 IP 77.x.x.x.51194 > 86.x.x.x.32401: tcp 0
      05:37:55.798586 IP 77.x.x.x.51198 > 86.x.x.x.32401: tcp 0
      05:37:56.048889 IP 77.x.x.x.51199 > 86.x.x.x.32401: tcp 0
      
      

      Firewall logs show it being dropped:

      
      Aug 10 05:20:50 	WAN 	77.x.x.x:51179		86.x.x.x:30000		TCP:SEC
      Aug 10 05:20:50 	WAN 	77.x.x.x:51180		86.x.x.x:30000		TCP:SEC
      Aug 10 05:20:56 	WAN 	77.x.x.x:51178		86.x.x.x:30000		TCP:S
      Aug 10 05:20:56 	WAN 	77.x.x.x:51179		86.x.x.x:30000		TCP:S
      
      

      The port is open from the firewall:

      
      # telnet 10.101.0.30 443
      Trying 10.101.0.30...
      Connected to 10.101.0.30.
      Escape character is '^]'.
      
      ```![2017-08-10-060550_1920x1080_scrot.jpg](/public/_imported_attachments_/1/2017-08-10-060550_1920x1080_scrot.jpg)
      ![2017-08-10-060550_1920x1080_scrot.jpg_thumb](/public/_imported_attachments_/1/2017-08-10-060550_1920x1080_scrot.jpg_thumb)
      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by

        "05:37:43.325238 IP 77.x.x.x.51193 > 86.x.x.x.32401: tcp 0"

        That is not traffic to your 30000 port you said you forwarded..

        But then you do show drops to 30000 but can not tell when you did what, so for all we know you edited the forward?  Please post screen shot of your firewall wan rules

        1 Reply Last reply Reply Quote 0
        • A
          analbeard last edited by

          Apologies, you are indeed correct - I had changed the port but pasted the wrong packet capture output. Either way, the traffic is hitting the WAN interface on 30000 and then being dropped.

          I've attached my WAN rules as requested - they're a little messy as I'm fairly new to pfSense, but there aren't too many of them.

          Thanks!


          1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator last edited by

            so is your alias correct?  Look in your table to see that it has your IP.. But your rule you posted was to IP not to alias.

            1 Reply Last reply Reply Quote 0
            • A
              analbeard last edited by

              @johnpoz:

              and there is not firewall rule for 30000 on there so yeah ts going ot be dropped!!! As it should be..

              OK, so my understanding from the port forwarding docs is that if I create the NAT rule and leave the 'create associated filter rule' box ticked, then that should be sufficient:

              'When adding a port forward, a firewall rule must also be added to allow traffic in to the internal IP address designated by the port forward. There is an option to automatically add this rule when creating a port forward definition, and it is enabled by default.'.

              The auto-added rule is second from bottom.

              1 Reply Last reply Reply Quote 0
              • A
                analbeard last edited by

                Additionally, the rule you can see for 8123 was created exactly the same way and it works perfectly when tested from an external source.

                1 Reply Last reply Reply Quote 0
                • A
                  analbeard last edited by

                  @johnpoz:

                  so is your alias correct?  Look in your table to see that it has your IP.. But your rule you posted was to IP not to alias.

                  The alias definitely points to the correct IP, but just for troubleshooting's sake I changed the NAT rule to use the IP instead of the alias and now it works.  :-\

                  I've attached my alias table.

                  This smells like a bug to me.


                  1 Reply Last reply Reply Quote 0
                  • A
                    analbeard last edited by

                    OK, I've since done some more digging and uncovered what I think is probably the root cause of the issue. I changed the NAT rule to listen externally on 443 as this was my ultimate goal and I could then see traffic being dropped again (all I'd changed is the port). I then manually ran a filter reload and traffic started passing - it seems updating a NAT rule doesn't update the corresponding filter rule. Is this the expected behaviour?

                    1 Reply Last reply Reply Quote 0
                    • johnpoz
                      johnpoz LAYER 8 Global Moderator last edited by

                      I have never seen nat not update the firewall rules  or reload the filters.. You can look in the log and see the filter reload.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post

                      Products

                      • Platform Overview
                      • TNSR
                      • pfSense
                      • Appliances

                      Services

                      • Training
                      • Professional Services

                      Support

                      • Subscription Plans
                      • Contact Support
                      • Product Lifecycle
                      • Documentation

                      News

                      • Media Coverage
                      • Press
                      • Events

                      Resources

                      • Blog
                      • FAQ
                      • Find a Partner
                      • Resource Library
                      • Security Information

                      Company

                      • About Us
                      • Careers
                      • Partners
                      • Contact Us
                      • Legal
                      Our Mission

                      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                      Subscribe to our Newsletter

                      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                      © 2021 Rubicon Communications, LLC | Privacy Policy