pfsense doesn't block port on wan



  • Hello,

    I am using pfsense 2.4.4. We have a problem. Pfsense doesn't block requests from source ip address when "Destination" is selected as "WAN Address in WAN rules".

    For example:
    Action Block:
    Interface: WAN
    Address Family: IPv4
    Protocol: TCP
    Source: XX:XX:XX:XX
    Destination: WAN Address

    Pfsense can only block it when Destination is selected "Any". However I have used pfsense 2.4.3p1 and I have used Destination as WAN Address, and it worked well. But in 2.4.4 version this function doesn't work. I think this is bug and it makes WAN Address in Destination meaningless.


  • Netgate

    Then you are doing something wrong. How are you testing?



  • This post is deleted!


  • @emammadov said in pfsense doesn't block port on wan:

    For example, I crate a new nat rule, source address (invert match) xx:xx:xx:xx and destination destination "wan address", Redirect target IP (192.168.1.2), Redirect target port - 80 and save. In Rules / Wan, I choose Action "Block".
    I then begin to open webpage from different ip address and it opens. However if I change Destination address to "Any", it blocks.

    Well if you use NAT to rewrite the destination address then it's obviously no longer your WAN address when the rules get evaluated.



    1. For example, I crate a new nat rule, source address (invert match) xx:xx:xx:xx and destination destination "wan address", Redirect target IP (192.168.1.2), Redirect target port - 80 and save. In Rules / Wan, I choose Action "Block".
      I then begin to open webpage from different ip address and it opens. However if I change Destination address to "Any", it blocks.

    2. have an Alias and it contains some ip addresses. I create a new rule in WAN, and choose my alias as source address and destination "WAN Address": and action block and save. I lift this rule to the top of page and save. It don't block requests from these ip addresses though.


  • Netgate

    Post your entire WAN rule set and tell us exactly what you are doing to test it.

    I just tested this and your original assertion (that block rules to WAN address do not work) is incorrect. It works fine.

    It is highly unlikely that you will discover a "bug" in port forwarding or the implementation of pf. It is almost certainly a misunderstanding or misconfiguration.



  • Firewall / NAT / Port Forward

    0_1540150895224_1.png

    For example, I created a new NAT rule.
    Destination port range: 3389
    Redirect target IP: 192.168.2.82
    Redirect target port: 3389
    Save

    Firewal / lRules / WAN
    I can access this server from everywhere. Then I create a new WAN rule:
    Action Block
    Source address: 5.191.18.8
    Destination: WAN address
    Save

    0_1540151166381_2.png

    I lift this rule above the automatic created nat rule. Save. Eventually it should block access from this ip addres, but it doesn't block. If I choose "Any" in Destionation, then it blockes requests from this ip addres.


  • Netgate

    Nope. NAT has already happened before the firewall rules are consulted.

    Block source 5.191.18.8 to destination 192.168.2.82 port 3389

    If you were to, say, ping WAN Address from 5.191.18.8 with that existing configuration you will see that traffic blocked in the firewall logs because that traffic does not match the NAT so NAT is not performed and Destination WAN Address will match.

    Destination Any matches 192.168.2.82 as well as WAN Address so the traffic is blocked even though NAT has happened first.



  • I can show you exactly when I give teamviewer id to you. Do you have a teamviewer program in your computer?


  • Netgate

    I just explained it all.

    No, I won't teamviewer into your computer.



  • What I mean is: I have an Alias that should be blocked by pfsense.

    In WAN rules, Alias is in the top of page, above all the rules. I have chosen to block all requests from this Alias. Destination address is "WAN Address". It doesn't block requests from this Alias. But if I choose "Any" in Destination, then it blocks all requests from this Alias. That's what I mean. Because I have used this rule in 2.4.3p1 and it used to work. Please do the same steps in your pfsense and you will see what I mean.


  • Netgate

    I explained exactly what is going on based on what you have posted.

    I cannot explain to you that which is not shown. You are posting rules/screen shots for one thing, getting a complete explanation, then saying something else isn't working.

    Does the table in Diagnostics > Tables contain the IP addresses you expect to be blocked?

    Please show everything about that alias and the rules in question.



  • Today I will have a screen recorder and will attach the link here for your review.


  • Netgate

    Just post the rule sets, the contents of the alias, and what you think should be happening. Not going to watch movies.



  • Firewall / Rules / WAN Destionation is "any"
    0_1540205789571_1.jpg

    Alias
    0_1540205813433_2.jpg

    Firewall / NAT / Port Forward
    0_1540205862192_3.jpg

    Firewall / Rules / WAN
    0_1540205888101_4.jpg

    Port check
    0_1540206038237_5.jpg

    Firewall / Rules / WAN Destionation is "WAN Address"
    0_1540206083476_6.jpg

    0_1540206105305_7.jpg

    Port check
    0_1540206120514_8.jpg

    When Destination in WAN Rules is "any", pfsense blocks, but if Destionation is "WAN Address", pfsense doesn't block.



  • @emammadov said in pfsense doesn't block port on wan:

    When Destination in WAN Rules is "any", pfsense blocks, but if Destionation is "WAN Address", pfsense doesn't block.

    That is, as already explained above, because the NAT port forward has already changed the destination address.

    Btw. opening RDP to the WAN is plain stupid, use a VPN for remote administration.



  • @grimson But it has been worked in 2.4.3p1 version.


  • Rebel Alliance Global Moderator

    No it didn't - atleast not the way you think it was..



  • Then, you mean, if I want to block source ip, I have to choose "any" in Destination address and if I allow source ip to my pfsense, then i have to choose "WAN Address" in Destination address, right?


  • Rebel Alliance Global Moderator

    Post your rules HOW they are set, and what is not happening.. Lan rules have ZERO to on what happens inbound to the WAN..

    Your running pfblocker - and you have rules in floating that block traffic.. If so then they could be blocking access to your port forward..

    Unless you are using a VIP address on your wan, port forward will always be to wan address - which is the default. It will auto create the firewall rule for you by default. If you to limit to a specific alias as source that has zero to do with the dest address and can be be used in your port forward rule.



  • I have sent you private message. By the way, I am using pfblocker, but Action in pfblocker is "Alias Native". I don't use floating rules.


  • Rebel Alliance Global Moderator

    Dude I am not going to watch a freaking movie.. You scrolling around your rules makes it IMPOSSIBLE to see what might or might not be wrong.

    Its this simple post your port forward, post your wan rules. Post your floating rules. (if nothing in there - still post them).. State what doesn't work.
    https://www.netgate.com/docs/pfsense/nat/port-forward-troubleshooting.html

    Just because your port test says not open doesn't mean the port forward didn't work btw. Maybe your client not listening or sending back RST because it doesn't allow rdp from IP other than its local lan, etc.. Run through the troubleshooting guide..

    Port forwarding to 3389 is this simple.

    0_1540232262788_portforward.png

    Once I remove the rule - bam its BLOCKED!! You have to kill any open states that might exist..

    0_1540232625664_blocked.png



  • You approached. Now create a rule on wan interface, select block in action, add a public ip address you know to the source, choose "wan address " in destination, save and drag it to the above of the rule you created for rdp. You will see that ip addresses in source still can access your server via rdp, but if you select "any" in destination in the rule of wan address, pfsense will block the traffic from that public ip address.


  • Netgate

    Man. NAT HAPPENS BEFORE FIREWALL RULES ARE EVALUATED! WAN ADDRESS WILL NOT MATCH AS A DESTINATION ADDRESS FOR TRAFFIC MATCHING THE PORT FORWARD! THE DESTINATION ADDRESS HAS BEEN TRANSLATED TO THE SERVER ADDRESS!


  • Rebel Alliance Global Moderator

    As Derelict has been trying to tell you for this whole thread. Now create your firewall rule with dest of your IP of your nat, ie 192.168.x.x

    Put that above your rule that allows it.. And that IP would be blocked.