[Solved] pfSense on Proxmox: Port Forwarding (Checksum) Problems
-
I setup pfSense on Proxmox following this guide: https://doc.pfsense.org/index.php/Virtualizing_pfSense_on_Proxmox
Everything (including Vlans) is working fine except port forwarding.
I already had hardware checksumming disabled on pfSense as explained in the guide. Then i wanted to forward a port to a webserver running as a VM but can't get this to work. I already spend like two full days on this and starting to lose my mind. %P
Inspecting firewall logs and also packet captures show that packets hitting my WAN on its public address are forwarded to the desired machine as expected. The machine receives the packet and answers back to the LAN interface. But it never reaches my WAN to go outside. I'm testing this on my cell phone from an outside network BTW.
Further inspection of the captured packets with Wireshark shows that there is something wrong with the checksums with leads my to threads saying that i also have to disable hardware checksum offloading on the Proxmox side. Which i did using```
ethtool -K <interface> tx off</interface>Questions: Do i have to do ethtool -K <interface>tx off only on the LAN _bridge_ assigned to pfSense or also on the real interface the bridge is defined on? Is it enough to do this on the LAN interface or also on the WAN or on all interfaces within that host machine? Tested some combinations but no luck.. And: Do i also have to switch off hardware offloading for rx and maybe other stuff? Also tested port forwarding to a real physical machine inside my network but got the same results. Tested different ports also. BTW: I have setup OpenVPN and this worked flawless from the beginning. But OpenVPN is using UDP not TCP. Is this the reason this forward work? Can someone please help me with further investigation or has already an idea whats going wrong? I'm running out of ideas and starting to become really frustrated. :/ Thanks so much!!</interface> -
As far as I understand, if you configure OpenVPN on pfSense, there is no port forwarding at all.
I think, if the pfSense GUI and Internet can be accessed from the physical LAN, the problems with port forwarding can be caused not only by the check-sums.
Do you see on WAN outgoing forwarded packages from LAN hosts?
I had problems, similarly to yours, as I had not correct routing + outgoing NAT configuration. It can be also something wrong with the Virtual IPs configuration. Or are you forwarding the firewall ports?
Questions: Do i have to do ethtool -K <interface>tx off only on the LAN bridge assigned to pfSense or also on the real interface the bridge is defined on? Is it enough to do this on the LAN interface or also on the WAN or on all interfaces within that host machine? Tested some combinations but no luck.. And: Do i also have to switch off hardware offloading for rx and maybe other stuff?</interface>
For test purposes I would disable check-sums offloading on all possible physical/virtual NICs.
-
I had problems, similarly to yours, as I had not correct routing + outgoing NAT configuration. It can be also something wrong with the Virtual IPs configuration. Or are you forwarding the firewall ports?
Thank you for your answer and sorry for the delayed reply. I was on vaction…
I solved the problem by reinstalling pfsense from scratch. I guess something was wrong with my vlan config and stuff because i experimented a lot with different setups and so on plus I started with a double NAT setup and then made the switch to connecting directly through a modem to the internet. So portforwarding is now working as expected. :-)
For test purposes I would disable check-sums offloading on all possible physical/virtual NICs.
Don't have to do this since I reinstalled pfsense. I'm not touching the proxmox network settings manually anymore.. ;-)
Thanks for your help!!