no port forward into vlan



  • Hello,
    I am unable to do a working port forward.

    My Setup
    44f117d8-c26b-4360-bcf5-4b674af3d71e-grafik.png

    Testwise I would like to do a ssh port 22 forward to some IP address.

    firewall rule
    cf356838-bb46-4887-82d1-f759b6d56fc1-grafik.png

    NAT rule
    d9012bcd-b8ed-496f-a8cf-891a2d51002b-grafik.png

    Diagnostics/States/States
    cfe4fff2-d14e-4677-882c-9b21099acc33-grafik.png

    I already looked through the "Port Forward Troubleshooting" guide and from my perspective everything looks working (I am no expert :) ).

    Its not just port 22, I tried already other ports and there are the same problems. We have besides that rules nothing that should conflict with that rules and a rather basic setup besides the different vlans. Otherwise everything else looks working just I can't open any port that is behind the pfsense (opening a port to the pfsense works).
    Opening the ssh connection from the pfsense box works too.

    I have sadly no idea where I should look at at the moment. Maybe its some trivial change needed.

    Any help or pointer would be great, if you need some log etc ... pls ask.

    best regards



  • Your network map doesn't show the VLANs, so it is not possible to say if the interface you've added the NAT rule to is correct.
    However, you have to state a unique destination IP which should be forwarded.


  • Galactic Empire

    It would help if you could get rid of the double nat that will occur.

    Can you put the non pfSense router into modem mode.



  • @viragomann said in no port forward into vlan:

    our network map doesn't show the VLANs

    10.24.10.xx -> VLAN10
    10.24.20.xx -> VLAN20
    ...

    @viragomann said in no port forward into vlan:

    However, you have to state a unique destination IP which should be forwarded.

    isn't it done due that ?
    c0bb529b-5a5f-440e-8a0a-741d4cfbd9d1-image.png

    @NogBadTheBad said in no port forward into vlan:

    It would help if you could get rid of the double nat that will occur.

    This is sadly not possible at all, I have no access to that box at all (some vendor crap) but the same setup is reported working properly so I can guess at least it works. Like said creating an port forward to the pfense box works like a charm.

    I can only phone the vendor and ask for stuff that get changed then, I never saw the interface at all so I can only suspect what is done here. If you have an idea what might break it I can ask the vendor if they have set some setting etc that might have an negative impact. Maybe the router doing some nasty stuff, I can't rule that out but thats like a dark hole for me so I would at least rule out that I am doing some obvious mistake at the pfsense settings.



  • @CvH said in no port forward into vlan:

    isn't it done due that ?

    No, the destination address in the NAT rule is "any".
    1553106825649-c0bb529b-5a5f-440e-8a0a-741d4cfbd9d1-image.png
    You may state the interface address here.

    Another possible reason could be the system firewall on the destination device. Are you sure it is accepting connections from public source IPs?


  • LAYER 8 Netgate

    6c44ce59-0825-4abe-89b6-17f3b62950b0-image.png

    It's right there. 10.24.20.188 is not responding to TCP SYNs from 123.123.123.123



  • @viragomann said in no port forward into vlan:

    No, the destination address in the NAT rule is "any".

    I changed Dest. Address to VLAN10 address and at least I get some sign of life at my box.

    root@10.24.20.188:~# tcpdump -n | grep "\.22:" | grep "123.123.123.123"
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
    09:50:51.536233 IP 123.123.123.123.44176 > 10.24.20.188.22: Flags [S], seq 334815397, win 29200, options [mss 1452,sackOK,TS val 775081881 ecr 0,nop,wscale 7], length 0
    09:50:52.558410 IP 123.123.123.123.44176 > 10.24.20.188.22: Flags [S], seq 334815397, win 29200, options [mss 1452,sackOK,TS val 775082904 ecr 0,nop,wscale 7], length 0
    

    @viragomann said in no port forward into vlan:

    Are you sure it is accepting connections from public source IPs?
    yes, tried also a different box that is for sure not "limited"

    @Derelict said in no port forward into vlan:

    It's right there. 10.24.20.188 is not responding to TCP SYNs from 123.123.123.123

    is it possible that I have now correctly setup the Internet -> my Box way and now "something" is blocking the my Box -> Internet route ?

    my current setup
    Firewall rules
    bb67bd6f-25ac-4a99-94bd-667b125cbac9-grafik.png

    NAT rules
    e474a3d3-c9e9-477e-8b71-538c4e06cb1e-grafik.png



  • gosh found the problem for that :)
    i used the wrong gateway, so changing Dest. Address to VLAN10 address did it for me
    thank you very much

    ps can't edit the post above due spam detection 😌


Log in to reply