Forwarding and ping from WAN dont work. (SOLVED)

Stefoo · Oct 2, 2018, 9:59 PM

Hello!

I am trying to port forward. Should be easy, but ...
I have read the forwarding manual and troubleshooting. Also I did watch few youtubes which are same is manual. But still nothing works.
I tried Diagnostics Port test and ping, and when I ping my internal network device from WAN all pockets are lost (from LAN are ok). I did make a rule on WAN allowing any ports and any protocols from WAN to the IP of the internal network device. Still no success.

Please, help. I am missing something. This should be working. Maybe there is some settings preventing rules to work effectively.

Thank you.

KOM · Oct 3, 2018, 1:00 AM

You will have to post what you did to get specific help correcting rules etc.

Remember that pings are not TCP or UDP. They are a specific form of ICMP packets, echo request and reply. If you create a port forward via Firewall - NAT, the rules should be created for you.

Stefoo · Oct 3, 2018, 8:23 AM

Thanks @KOM .
Yes, I am aware ping is not TCP/UDP. Thats why I created rule with any protocol.
Yes, FW rules related to NAT are created but dont work.

I am trying to port forward to my IP Cameras web admin. Here are screenshots of Rules and DIagnostics.

login-to-view
login-to-view
login-to-view
login-to-view

NogBadTheBad · Oct 3, 2018, 11:30 AM

What port does your camera use, you have 8011 in the nat section and 80 in the firewall rules.

Here's what my port forwarding and firewall rule for sftp looks like:-

login-to-view

h_sftp is an alias that contains my IPv4 address of the host in the DMZ.

Would you not be better creating a VPN if you want to access your camera web admin page when away from home rather than opening up the world to your network.

Grimson · Oct 3, 2018, 11:29 AM

@nogbadthebad said in Forwarding and ping from WAN dont work.:

Would you not be better creating a VPN if you want to access your camera web admin page when away from home rather than opening up the world to your network.

Yeah, opening the web interface of an IOT device, like those cameras, to the world is one of the most idiotic things you can do.

johnpoz · Oct 3, 2018, 12:38 PM

@grimson said in Forwarding and ping from WAN dont work.:

opening the web interface of an IOT device, like those cameras, to the world is one of the most idiotic things you can do.

QFT!!

Unless you have been under a rock? Camera's are some of the WORSE offenders for lack of security.. Many of them share the same underlying code that is rife with exploitable issues and backdoors..

I personally never in a million years would open up such a device to the public internet at large.. Even if said device was isolated in a dmz on your network.. The point of someone other then you or trusted people being able to view video in your home/location is just crazy.

https://ipvm.com/reports/security-exploits

Stefoo · Oct 3, 2018, 6:25 PM

Ok, Gents. Thank you for all your opinions.
I was really in doubt about the fields I am filling in, because of dubious labeling. I want to access my internal device that has port 80 on my WAN address at port 8011. The config should follow the same logic, or it is the wrong/opposite?
FYI, I am opening port 80 on my IPC just for sake of this config. Afterwards I will open the stream ports and close http.
Also, VPN thing is too complicated to have on low technical device owners.

Stefoo · Oct 3, 2018, 6:33 PM

This is how I understand those fields in NAT config page:

Destination - the address where traffic comes to
Destination port - the port of the address where traffic comes to
Redirect target IP - the address of NATed device, aka the IP that matches Destination address.
Redirect target port - the port of the address of NATed device, aka the port that matches Destination port.

@NogBadTheBad Thanks for the SC, but its using same ports on both sides. All manuals and guides are doing this, so I could not double check which side is what, if my understanding of the labels are wrong!

johnpoz · Oct 3, 2018, 7:15 PM

@stefoo said in Forwarding and ping from WAN dont work.:

Also, VPN thing is too complicated to have on low technical device owners.

NONSENSE!!! Plain and simple... Your users so freaking stupid they can not click a button?

login-to-view

If you have users so freaking stupid they can not click a button to connect to a vpn, then they are too freaking stupid to have the phone in the first place.

it is no different then them connecting to freaking the camera interface.. They just need to click a vpn button first.

Stefoo · Oct 3, 2018, 7:45 PM

@johnpoz
)
I feel you mate!
Monkeys dont mind one button more, its me too laizy set up openvpns on their devices now.
But it will come to that at next stage.
Now I need to figure out just why my port forwarding is not working.

Cheers.

johnpoz · Oct 3, 2018, 7:54 PM

Here is what I can tell you - in the 10+ years I have been here, I do not recall ever seeing an issue with port forwarding that was not PEBKAC...

The troubleshooting doc gives you all the info you need to find where your problem is in like 1 minute.

Sniff on the wan - does the traffic get there? Sniff on the interface on your lan side your wanting to send it out of - does it get sent? Do you get an answer from the client you sent the traffic too? Maybe he is sending back RST.. Maybe your sending it to the wrong IP, maybe its not even listening on the port your sending too, etc.

Typical problems is device doesn't even have a gateway - many an IP camera has zero support for a gateway - so no you can not talk to it from another network. So you have to source nat for that to work. Or if they do have gateway set - its to some other IP other than pfsense, etc.

If it takes you more than 1 minute to figure out where the problem is you need to step back, take a breath - maybe have a beer. Think for 2 seconds, read through the troubleshooting guide and follow the steps.. Pfsense can not forward what it never sees - so step 1 is ALWAYS validate traffic actually gets to pfsense on the port your trying to forward!!

Derelict · Oct 3, 2018, 7:57 PM

You cannot ping or connect inbound sourced from the WAN address like that. It has to do with all of the route-to and reply-to that are placed on pfSense WAN interfaces by default.

This does not impact traffic coming in from the outside. Only traffic with the WAN address as the source address.

Port forwards will work fine even if that test fails.

jahonix · Oct 3, 2018, 9:46 PM

@stefoo said in Forwarding and ping from WAN dont work.:

Monkeys dont mind one button more, its me too laizy set up openvpns on their devices now.

It are lazy and/or ignorant people who feed the botnet army of IoT devices.
Good luck getting all those IP cams cleaned afterwards (as well as all your client's network hosts).

jahonix · Oct 3, 2018, 9:57 PM

...just saw: External access to pfSense on port 80 (HTTP)
"Lazy" can't describe that ignorance, you're either mad or shining bright like a slice of bread.

Stefoo · Oct 4, 2018, 10:48 AM

Thanks to everybody for contributing.
The original post was not related to security, but thanks for you concerns.
FYI, this is my second PFS box, the first one was with everything you say.

@johnpoz I am not so experienced and more over with diagnosis.
I did a packet capture and found traffic is reaching internal IP. So it is not problem of forwarding.
I changed the forwarding to a Ubiquti device that has gateway. Again I cant open it, I am not reaching any login screen.
How should diagnose further?

johnpoz · Oct 4, 2018, 10:56 AM

@stefoo said in Forwarding and ping from WAN dont work.:

I changed the forwarding to a Ubiquti device that has gateway

is this gateway pfsense? Do you not get an answer if you see pfsense forward the traffic..

For a forward to work, the dest box your forwarding too has to send the traffic back to the IP that forwarded it ;) you can not send your answer via some other gateway..

I am not reaching any login screen

You are actually testing this from OUTside right... You can not attempt to hit your wan IP from a box inside to be forwarded back inside and expect that to work without setting up NAT Reflection. You need to be validating your port forwards from external to pfsense. can you see me . org is great place to test if ports are open and reaching client your forwarding to and it answers..

Here I forwarded 22 to one of my unifi AP that is on 192.168.2.2

That took all of 30 seconds.

login-to-view

Stefoo · Oct 4, 2018, 12:04 PM

!!! This is again of those cases where something is tripping !!!
Yes, I am testing only from outside.
Here is my packet capture

On WAN
4:57:58.011987 IP 185.12.24.42.62203 > 57.237.109.180.8007: tcp 0
14:58:01.731203 IP 185.12.24.42.62219 > 57.237.109.180.8007: tcp 0
14:58:01.985091 IP 185.12.24.42.62224 > 57.237.109.180.8007: tcp 0

On LAN
14:54:13.272152 IP 185.12.24.42.61019 > 192.168.100.7.80: tcp 0
14:54:13.272415 IP 192.168.100.7.80 > 185.12.24.42.61019: tcp 0
14:54:13.527480 IP 185.12.24.42.61028 > 192.168.100.7.80: tcp 0

I used www.yougetsignal.com/tools/open-ports/ to check my open ports. It says port 8007 is not open, while I have those rules:
login-to-view login-to-view

johnpoz · Oct 4, 2018, 12:44 PM

@stefoo said in Forwarding and ping from WAN dont work.:

14:54:13.272415 IP 192.168.100.7.80 > 185.12.24.42.61019: tcp 0

Your box your forwarding too clearly sends a response - what is this response? Is it a RST? Did that actually go back to pfsense IP (mac address?) open that sniff in wireshark

BTW your rules are WRONG... Just let your port forward create the rules...

They should look like this..

login-to-view

Why do you have that 8007 rule to any in there?

Stefoo · Oct 4, 2018, 6:28 PM

I added that rule just in case, otherwise I leave NAT create its rules.
I have a question. If a port is forwarded than is it closed? Because port open checker is reporting that port is closed while when sniffing when checker connects its obvious traffic gets trough.
@johnpoz I guess its not RST. Sorry, I am not good in reading captured packets.
WireShark on WAN
login-to-view

WhireShark on LAN
login-to-view

johnpoz · Oct 4, 2018, 6:38 PM

So from that your seeing syn,ack which is the proper answer to a syn - but its not going back out your wan..

Your taking those sniffs on pfsense lan interface.. And its sending it to pfsense lan mac - from that arp I assume pfsense lan IP is 192.168.100.1 with mac address 00:10:dc:20:a0:87

Do you have more than 1 wan? What are you rules on your lan? Are you using any sort of captive portal on the lan side?

What do you have for outbound nat?

Does this clients internet work? Can it go through pfsense for internet and that works? When you sniffed on wan did you limit that to IP or something. You sure pfsense not sending that traffic back out to your outside IP but didn't nat it - ie sending it out with the 192.168.100.7 address?