Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    no port forward into vlan

    Scheduled Pinned Locked Moved NAT
    8 Posts 4 Posters 654 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      CvH
      last edited by

      Hello,
      I am unable to do a working port forward.

      My Setup
      44f117d8-c26b-4360-bcf5-4b674af3d71e-grafik.png

      Testwise I would like to do a ssh port 22 forward to some IP address.

      firewall rule
      cf356838-bb46-4887-82d1-f759b6d56fc1-grafik.png

      NAT rule
      d9012bcd-b8ed-496f-a8cf-891a2d51002b-grafik.png

      Diagnostics/States/States
      cfe4fff2-d14e-4677-882c-9b21099acc33-grafik.png

      I already looked through the "Port Forward Troubleshooting" guide and from my perspective everything looks working (I am no expert :) ).

      Its not just port 22, I tried already other ports and there are the same problems. We have besides that rules nothing that should conflict with that rules and a rather basic setup besides the different vlans. Otherwise everything else looks working just I can't open any port that is behind the pfsense (opening a port to the pfsense works).
      Opening the ssh connection from the pfsense box works too.

      I have sadly no idea where I should look at at the moment. Maybe its some trivial change needed.

      Any help or pointer would be great, if you need some log etc ... pls ask.

      best regards

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        Your network map doesn't show the VLANs, so it is not possible to say if the interface you've added the NAT rule to is correct.
        However, you have to state a unique destination IP which should be forwarded.

        C 1 Reply Last reply Reply Quote 0
        • NogBadTheBadN
          NogBadTheBad
          last edited by

          It would help if you could get rid of the double nat that will occur.

          Can you put the non pfSense router into modem mode.

          Andy

          1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

          1 Reply Last reply Reply Quote 0
          • C
            CvH @viragomann
            last edited by CvH

            @viragomann said in no port forward into vlan:

            our network map doesn't show the VLANs

            10.24.10.xx -> VLAN10
            10.24.20.xx -> VLAN20
            ...

            @viragomann said in no port forward into vlan:

            However, you have to state a unique destination IP which should be forwarded.

            isn't it done due that ?
            c0bb529b-5a5f-440e-8a0a-741d4cfbd9d1-image.png

            @NogBadTheBad said in no port forward into vlan:

            It would help if you could get rid of the double nat that will occur.

            This is sadly not possible at all, I have no access to that box at all (some vendor crap) but the same setup is reported working properly so I can guess at least it works. Like said creating an port forward to the pfense box works like a charm.

            I can only phone the vendor and ask for stuff that get changed then, I never saw the interface at all so I can only suspect what is done here. If you have an idea what might break it I can ask the vendor if they have set some setting etc that might have an negative impact. Maybe the router doing some nasty stuff, I can't rule that out but thats like a dark hole for me so I would at least rule out that I am doing some obvious mistake at the pfsense settings.

            V 1 Reply Last reply Reply Quote 0
            • V
              viragomann @CvH
              last edited by

              @CvH said in no port forward into vlan:

              isn't it done due that ?

              No, the destination address in the NAT rule is "any".
              1553106825649-c0bb529b-5a5f-440e-8a0a-741d4cfbd9d1-image.png
              You may state the interface address here.

              Another possible reason could be the system firewall on the destination device. Are you sure it is accepting connections from public source IPs?

              C 1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                6c44ce59-0825-4abe-89b6-17f3b62950b0-image.png

                It's right there. 10.24.20.188 is not responding to TCP SYNs from 123.123.123.123

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • C
                  CvH @viragomann
                  last edited by

                  @viragomann said in no port forward into vlan:

                  No, the destination address in the NAT rule is "any".

                  I changed Dest. Address to VLAN10 address and at least I get some sign of life at my box.

                  root@10.24.20.188:~# tcpdump -n | grep "\.22:" | grep "123.123.123.123"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:50:51.536233 IP 123.123.123.123.44176 > 10.24.20.188.22: Flags [S], seq 334815397, win 29200, options [mss 1452,sackOK,TS val 775081881 ecr 0,nop,wscale 7], length 0
09:50:52.558410 IP 123.123.123.123.44176 > 10.24.20.188.22: Flags [S], seq 334815397, win 29200, options [mss 1452,sackOK,TS val 775082904 ecr 0,nop,wscale 7], length 0

                  @viragomann said in no port forward into vlan:

                  Are you sure it is accepting connections from public source IPs?
                  yes, tried also a different box that is for sure not "limited"

                  @Derelict said in no port forward into vlan:

                  It's right there. 10.24.20.188 is not responding to TCP SYNs from 123.123.123.123

                  is it possible that I have now correctly setup the Internet -> my Box way and now "something" is blocking the my Box -> Internet route ?

                  my current setup
                  Firewall rules
                  bb67bd6f-25ac-4a99-94bd-667b125cbac9-grafik.png

                  NAT rules
                  e474a3d3-c9e9-477e-8b71-538c4e06cb1e-grafik.png

                  1 Reply Last reply Reply Quote 0
                  • C
                    CvH
                    last edited by

                    gosh found the problem for that :)
                    i used the wrong gateway, so changing Dest. Address to VLAN10 address did it for me
                    thank you very much

                    ps can't edit the post above due spam detection 😌

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.