Help creating NAT and Firewall Rule



  • I have a device on my network with a static ip is 192.168.1.8.  I have an external service that needs to access this device, according to the company, on UDP port 5065 .  The service is an alarm monitoring company called Nextalarm (https://nextalarm.com).  The device keeps going on and offline, according to their logs.

    Here is what they say to do to fix this problem:

    Important note: If your ABN adapter is going on and offline frequently, then your firewall may be preventing us from polling it correctly. To fix this problem, forward port 5065 UDP to the ABN adapter. This is done using your router's configuration software or web page, and your router manufacturer may be able to assist you with the specific procedure. Once the port is forwarded correctly, polling will be restored, and will not be lost again unless your Internet connection goes down.

    I have tried creating a port forward and the associated firewall rule for UDP 5065, but the service is still not working correctly.  The service works fine if I remove pfsense from the setup so I know it is a pfsense setup issue.

    Oddly, I'm seeing lots of these in my logs:

    509485 rule 62/0(match): block in on vr1: 69.20.62.123.5060 > [my ip address].[seeming random port number that changes at random intervals]: SIP, length: 493.

    So, it appears they're trying to come in on port 5060, rather than on 5065 as they say, and they're accessing some other random port.  Am I reading this correctly?

    If so, how can I create the NAT and firewall rule so that the firewall will pass UDP traffic from that ip address to 192.168.1.8.

    Also, what I notice is that periodically, everything will work fine.  That message above will not appear in the pfsense logs and if I check my alarm services logs, they can connect just fine.  Some setting on the firewall causes a disruption, but I don't know enough about firewalls and pfsense to figure out the issue.



  • I have similar problems with PFsense firewalling.  I try pretty close to everything I can imagine and still the firewall seems to work intermittently.  When I say work I mean, it either allows ports to be opened at times, and other times it simply doesn't.  I have seen and read this idea more than a few times around these forums but there doesn't really seem to be a solution.  My only thought is that perhaps it has something to do the hardware a individual is using.  I have had to format my box's hard drive a few times and start from scratch to figure out what this 'watchdog' error was.  I eventually think that I realized it had to with packages that force an adapter into promiscuous mode.  What is even more odd about that though is the packages I install that might use this very idea don't work for a while, like a day or two.  Then suddenly for no logical reason I can imagine the card just kicks into promiscuous mode, it works for a minute or so and then either I cannot use it at all or the box locks hard.  So my only guess for all of these things is some sort of compatibility issue with hardware.  I am using a network adapter with a realtek chipset, and another adapter that is intergrated that I am pretty certain is an intel chipset.  The fxp0 intel port never seems to give me problems but the rosewill realtek chipset port seems to often give me problems.  I am running pfsense on a 2.8ghz p4 PC with 2 gigs of corsair low latency (cl2) non-ecc RAM and I have almost everything disable in the bios.  I read a lot of about IRQ issues and such but I don't think that really made a difference in my box.  Anyone know of some ultra cheap Pci intel 10/100 or 10/100/1000 adapters?  : )



  • I don't think it has anything to do with the hardware as I experienced the same problem with another box.  I'm running this on a brand new ALIX box.  I think I just don't have something set right.



  • I have really messed with it all, any idears?






  • http://forum.pfsense.org/index.php/topic,7001.0.html

    mloiterman

    If so, how can I create the NAT and firewall rule so that the firewall will pass UDP traffic from that ip address to 192.168.1.8.

    In Firewall -> NAT -> Port Forward
    Protocol UDP
    External port range 5065
    NAT IP 192.168.1.8
    Local port 5065

    Nanafriend
    Maybe you need static port http://doc.pfsense.org/index.php/Static_Port



  • In Firewall -> NAT -> Port Forward
    Protocol UDP
    External port range 5065
    NAT IP 192.168.1.8
    Local port 5065

    I've tried that and it's still being blocked.  The issue I'm having is that the port they use seems to change randomly.  Is there a way to forward to any local port on a specific internal IP address?



  • Maybe you need static port http://doc.pfsense.org/index.php/Static_Port

    I know this wasn't directed at me, but this solved my problem.  Thanks.



  • Nanafriend,

    I believe what you are missing is a Virtual IP assigned to your WAN interface.  You then use that IP as the source for the port forwarding not "any"


Locked