Web Server & SSH port forward issues



  • Hopefully this is a simple issue and I feel bad asking but I'm lost somewhere. So to be brief I have a WAN, LAN, and OPT1. LAN is for my home devices and OPT one is for my servers.

    I've got my game servers running smoothly after a couple hours of playing with the ports. But to save my life I can't forward port 80, 443, or 22. I'm trying to make it so 22 is only accessible internally (LAN to OPT1) and I'm having no luck with that.

    I'm not able to connect to the site or IP from LAN but I'm able to get to the site on OPT1. Can't access it by URL only IP.
    LAN and OPT1 have different IP ranges but same subnet. Hoping someone can point me in the right direction. ^^"

    NAT
    0_1546993816971_MEep4.PNG

    WAN
    0_1546993525291_MEep.PNG

    LAN
    0_1546993536687_MEep2.PNG

    OPT1
    0_1546993571263_MEep3.PNG



  • You don't need the first three rules on your LAN and OPT1 interfaces. The Default Allow to Any rule already permits full access from those interfaces. Those rules would only be useful if you had a block rule after it to restrict access to only those destinations.

    Now IIRC, you can't NAT ports that are being used by pfSense itself. I"m guessing you have WebGUI listening on 443 and you have SSH enabled? Change those ports to something other than default and then you can NAT them to your internal servers.



  • @kom

    After reading back over everything I left too many details out I feel. Restricting the access between the networks was a plan, kind of just made me realize I forgot to change * to WAN so it's wide open right now.

    As for the WebGUI I've already changed the default 443 port to something random and disabled redirect in an attempt to access the apache server I have on OPT1. SSH was for the apache server on 191.

    Hopefully that makes sense. I tend to either get side tracked or I don't give enough info. ^^"
    Thanks for the quick reply.



  • To verify what's really listening, shell in and run this:

    netstat -na | grep -i LISTEN

    Here is what I show for my installation for comparison:

    tcp4       0      0 10.10.4.1.10050        *.*                    LISTEN
    tcp4       0      0 *.666                  *.*                    LISTEN
    tcp6       0      0 *.666                  *.*                    LISTEN
    tcp6       0      0 *.7445                 *.*                    LISTEN
    tcp4       0      0 *.7445                 *.*                    LISTEN
    tcp4       0      0 127.0.0.1.3128         *.*                    LISTEN
    tcp4       0      0 10.10.4.1.3128         *.*                    LISTEN
    tcp6       0      0 *.80                   *.*                    LISTEN
    tcp4       0      0 *.80                   *.*                    LISTEN
    tcp4       0      0 127.0.0.1.953          *.*                    LISTEN
    tcp4       0      0 *.53                   *.*                    LISTEN
    tcp4       0      0 *.53                   *.*                    LISTEN
    tcp4       0      0 *.22                   *.*                    LISTEN
    tcp6       0      0 *.22                   *.*                    LISTEN
    

    Do you show services still listening on the ports you're trying to forward?

    Also, your NATs are all wrong. I didn't pay close enough attention to them yesterday. You typically NAT from WAN to LAN or OPT1 (DMZ). The Source address and Source ports are almost always *. Destination address is almost always WAN address (or a specific VIP if you have them defined.)

    If you're trying to NAT tcp ports 22, 80 and 443, you only need three NAT rules. I would blow it all away and try again.



  • 0_1547078246842_MEep5.PNG

    Well I can't really answer your question about the ports since I don't even see the game server ports on here. So I'm totally lost now and don't understand how they are even open on the firewall. Yours makes sense but mine is just a mess.

    As for the NAT settings I was losing my mind trying different things to try and get it to work. Below is the full NAT.

    0_1547078668529_MEep6.PNG



  • If you haven't already, you should check the Troubleshooting Port Forwards page and go through every item one by one:
    https://www.netgate.com/docs/pfsense/nat/port-forward-troubleshooting.html

    You should also watch the Firewall and NAT Fundamentals on pfSense video
    https://www.youtube.com/watch?v=h2XaZxgms5A

    as well as the Port Forward Troubleshooting on pfSense video
    https://www.youtube.com/watch?v=FoQLF_K7WeQ



  • @kom

    The first link I glanced over before but I can now access the web server both on the WAN and LAN. I'm even able to ssh to it from LAN to OPT1. I don't remember if it was one of the videos you linked or some random third video but I didn't understand that request get sent out on a random port. So those source ports would have never worked. Sorry for not understanding that sooner.

    Thank you for the references and your time.