Port is open, but port forwarding is disabled ?
-
Hello,
I have a FTP behind my PFsense (v2.3.5) and everything was working fine until last week
I was able to connect to my FTP with my public IP, with a web browser, or with FilezillaBut since last week, I can't understand why the port forwarding isn't forwarding anymore
I read many diffferents topics about this problem, and as my configuration was working fine since many month, I'm really disappointed !! And maybe a fresh eye will see what's going wrong ?I rebooted my server 3 times yesterday, and nothing new. The big problem is that when everyrules are disabled (or delete), I can see that the port 21, 22, 80, 443 are open (using yougetsignal.com for example with my public IP). But as soon as I create a new port forward (under NAT, with automatic rules for my WAN interface), then theses ports become closed .....
Without any NAT rules :
-
if I use my public IP with numbers on my smartphone, I reach the PFsense logging webpage.
-
if I use my http://ftp.domain.fr I reach the PFsense but with the "Potential DNS Rebind attack) page
So I really don't understand why the router is acting reversally than he sould work ? Just to clarify about the hardware, the FTP is connected directly to the ethernet port on the PFsense. The only thing I know is that the serveur is an old 8 years DELL, but why should he only failed to portforward, because everythings else (open VPN, IPSEC ...) are running fine
Many thanks for your lights...
Simon
-
-
post up your wan rules, your port forwards.
when you use a fqdn ftp.domain.fr and you get back rebind - that normally points to that fqdn resolving to a rfc1918 address.
Post up your actual fqdn your using, its not ftp.domain.fr is it? PM it to me if your worried about posting it public and I will check what it resolves too on the public internet.
As to troubleshooting port forwarding. Read the doc on troubleshooting port forwards - did you validate the traffic is actually hitting pfsense with a packet capture on your wan interface.
Your pfsense is not behind a nat is it, ie your wan IP is actually public and not some rfc1918 address.
-
Pass Linked rule : WAN TCP * * FTP 80 (HTTP) 10.20.20.20 80 (HTTP) NAT FTP=> This is my NAT rules
And here is the WAN rules :
IPv4 TCP * * 10.20.20.20 80 (HTTP) * none NAT FTPI read the docs about troubleshooting port forwarding, but even if I tried many tricks, nothing change
I have some problem to look into "packet capture" because there is many different connexion, and if I use filter I can't see anything hitting my pfsense...but I can access to it with my smartphone, so as I'm not able to use packet capture I stop using it
-
your running ftp control on 80?
You need to list your whole wan rules so can see the order, incase something blocking it above, etc.
Running ftp on 80 would be a HORRIBLE choice.. For starters many isp block that.. 2nd it could conflict with httpd running on your server and even pfsense gui if listening on that, etc. etc..
Why would you not just run on the standard 21 port, and or the standard ports for ftps if running that 990
-
my bad, it may be confused, but the FTP is a Synology, so it can be reach with FTP (port 22, 21 was only for this test, I had to delete the differents NAT rules to find a solution) and HTTPS with a web browser
About my WAN rules, I just put this one on the top of the list, and now FTP works ...that's a big step forward ! But I'm 100% sure that the rules order didn't change since many month, so I guess there is something else...now the "port forward" tool show the rights open ports
I will make some test with HTTPS, because it doesn't work, even if the rules is on the top
-
Ok so everythings is working now ... I simply move 2 or 3 times the rules order, and that's it ...!
Is there any "best practice" about rules order for WAN and for Port Forward ?Thanks for your help John !
-
Your order of rules on wan or lan would always be the order they need to be in to work.
Traffic is evaluated as it enters the interface, first rule to trigger wins no other rules are evaluated.
So yeah your going to allow something it needs to be higher than something that would block it.. Normally on the wan this not a problem since there really is no need for blocks other than the default deny that is implicit and always there just not shown.
But if you create say some block rule with pfblocker or something then yes you need to evaluated your rule order to make sure what you want happen is not going to be blocked..
I personally think its a bad idea to have your nas open to the public.. Yeah I just hit that IP you sent me on https and I get your nas login.. If you need access to your nas or your network I would vpn in.. Your network - glad you got it sorted.
