Port Forwarding not happening :-(



  • Hi,
    I have a system with 3 NIC. Wan + Lan + 'Guest Use'. I installed 1.2.2 (I also tried 1.2.1 & 2.Alpha), everything seems to work except port forwarding.
    I have tried forwarding both FTP and MS-RDP.

    From the logs:

    
    pf: 15\. 711343 rule 246/0(match): pass in on vr0: (tos 0x0, ttl 55, id 36640, offset 0, flags [DF], proto TCP (6), length 44) 83.223.124.XXX.45465 > 192.168.16.32.21: S, cksum 0xaf5a (correct), 640965060:640965060(0) win 5840 
    

    And after some delay on the FTP server (192.168.16.32):

    
    (000015) 11/03/2009 11:26:38 - (not logged in) (83.223.124.XXX) > connected to ip : 0.0.0.0
    (000015) 11/03/2009 11:26:38 - (not logged in) (83.223.124.XXX) > sending welcome message.
    (000015) 11/03/2009 11:26:38 - (not logged in) (83.223.124.XXX) > 220 Welcome message
    (000015) 11/03/2009 11:26:38 - (not logged in) (83.223.124.XXX) > disconnected.
    
    

    I also noticed this appear in the system logs when an incoming connection is started:

    
    kernel: arpresolve: can't allocate route for 86.98.146.XX [this is the WAN IP]
    Mar 11 11:40:27 	kernel: arplookup 86.98.146.XX failed: host is not on local network
    
    

    Can anyone shed some light on this please?

    Edited to add:

    • The WAN is connected to a consumer DSL modem with DHCP.
    • PPPTP redirection to the internal server works!


  • FTP is a whole separate bag of suck, so I would concentrate on getting something like RDP or HTTP working first.
    That should be pretty straightforward, but triple check the port forward and WAN firewall rules.
    How exactly is the WAN configured? Is the modem bridged somehow so the WAN is getting the 83.223.124 address?
    What's the gateway and subnet mask on the WAN?



  • Hi dotdash, I tried FTP as it was the easiest way for me to get to the logs.
    Re. the firewall rules, I have checked, double checked, reinstalled, cleared everything and started again to no avail.
    The wan NIC is connected to a dlink DSL modem(DSL-320T), and the wan is assigned a public IP address via DHCP from the modem.
    Note that in the FTP logs, it seems to be connected to remote host 0.0.0.0 (I failed to mention this in my previous post)

    The current NIC config is :

    WAN*                     ->   vr0     ->      86.98.?.?(DHCP)
      OPT1(Guest)*          ->   vr1     ->      192.168.10.1
      LAN*                      ->   fxp0    ->      192.168.16.240

    The last entry in /var/db/dhclient.leases.vr0

    
    lease {
      interface "vr0";
      fixed-address 86.98.?.?;
      option subnet-mask 255.255.255.255;
      option routers 86.98.?.?;
      option domain-name-servers 213.42.20.20;
      option host-name "pfsense";
      option dhcp-lease-time 60;
      option dhcp-message-type 5;
      option dhcp-server-identifier 192.168.1.1; (dsl modem IP)
      renew 4 2009/3/12 18:19:48;
      rebind 4 2009/3/12 18:20:10;
      expire 4 2009/3/12 18:20:18;
    }
    
    

    nat rules
    WAN           TCP  3389 (MS RDP)  192.168.16.2  (ext.: 86.98.?.?) 3389 (MS RDP)  
    WAN           TCP           21 (FTP)          192.168.16.32(ext.: any)         21 (FTP)
    1:1 is empty
    Outbound is on manual and has 2 entries:
    WAN    192.168.16.0/24  *  *  *  *  *  NO
    WAN    192.168.10.0/24  *  *  *  *  *  NO

    Firewall Rules on WAN
    TCP  *  *  192.168.16.32  21 (FTP)           *  - 
    TCP  *  *  192.168.16.2  3389 (MS RDP)  *  -



  • Check Status, Interfaces for WAN. What does it show for your subnet mask and gateway?
    That D-Link isn't a NA model (that makes sense as those are RIPE blocks), but It looks like it can be put into bridge mode. You might want to try bridging the modem and changing your WAN to PPPoE. And seriously, forget about the ftp until after you get the rdp working. Then go back and read all the ftp troubleshooting stuff.



  • hello again,
    Status->interfaces
    Subnet mask  255.255.255.255
    Gateway link#1

    The Dlink is actually a DSL-322T, it seems to be only sold in the middle east, I quoted the 320T which is a similar EU model and has more information online about it.

    I changed it to bridged mode, and entered the login details under the PPPoE. It now shows:

    Subnet mask  255.255.255.255
    Gateway 213.42.4.31

    RDP WORKS!  :D
    FTP doesn't work, but that's for another day!

    One last question, I noticed I can no longer access the modem web page (192.168.1.1) from the LAN (192.168.16/24), does this mean I have to change to modem IP to something on 192.168.16.?

    Edited to add: Many thanks for your time/help.



  • I don't use bridged mode very often, but I generally plug a laptop directly into a bridged modem if I need to access it. There are numerous threads asking the same question you did. This might be a good place to start http://forum.pfsense.org/index.php/topic,5727.msg34562.html#msg34562


Log in to reply