Port forwarding problem



  • Hi, I have some port forwarding problem even if I could reach the destination port in the console of the pfsense can´t forward it from internal lan to wan address. Some factory lock of this or other stuff I need to add to the config?
    I have 2 interfaces one lan and other wan in the wan network I have a host who is "listening" on the port 999. I want to forward from the Lan ip in some port (or the same) to the wan ip host 999 and It cannot be done by the normal way. I haved maked all the tests can be done..
    From the pfsense console:

    telnet (ip of host in wan network) 999
    Trying (ip of host in wan network)...
    Connected to (ip of host in wan network).
    Escape character is '^]'.
    

    Good are fine!
    Now I have:

    Firewall>NAT>Port Forward>Interface"LAN",Protocol "TCP",Source Address "*",Source Ports "*",Dest Address"Lan address",Dest. Ports"999",Nat IP"ip of the remote host in wan network",Nat Ports"999".
    

    I haved tested to make the same rule but in the back configuration from wan (in the same network of the remote host) from other port and the forward are working well.

    Thanks in advance.



  • Post a screenshot of your port-forward if you want help.

    https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting



  • portforward.jpg image url)
    10.200.40.0 are lan internal (xn1)
    192.168.50.0 are wan network (xn0)

    Now view of tcpdump:

    tcpdump -i xn1 -X src 10.200.40.132 and port 999
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on xn1, link-type EN10MB (Ethernet), capture size 262144 bytes
    18:18:13.978513 IP 10.200.40.132.3718 > firewall.localdomain.garcon: Flags [S], seq 3760235677, win 64240, options [mss 1460,nop,nop,sackOK], length 0
           0x0000:  4500 0030 14c2 4000 8006 7f3e 0ac8 2884  E..0..@....>..(.
           0x0010:  0ac8 28b4 0e86 03e7 e020 a49d 0000 0000  ..(.............
           0x0020:  7002 faf0 8a3b 0000 0204 05b4 0101 0402  p....;..........
    18:18:14.232351 IP 10.200.40.132.3719 > firewall.localdomain.garcon: Flags [S], seq 2620897957, win 64240, options [mss 1460,nop,nop,sackOK], length 0
           0x0000:  4500 0030 14d0 4000 8006 7f30 0ac8 2884  E..0..@....0..(.
           0x0010:  0ac8 28b4 0e87 03e7 9c37 baa5 0000 0000  ..(......7......
           0x0020:  7002 faf0 b81b 0000 0204 05b4 0101 0402  p...............
    18:18:17.036208 IP 10.200.40.132.3718 > firewall.localdomain.garcon: Flags [S], seq 3760235677, win 64240, options [mss 1460,nop,nop,sackOK], length 0
           0x0000:  4500 0030 14ed 4000 8006 7f13 0ac8 2884  E..0..@.......(.
           0x0010:  0ac8 28b4 0e86 03e7 e020 a49d 0000 0000  ..(.............
           0x0020:  7002 faf0 8a3b 0000 0204 05b4 0101 0402  p....;..........
    18:18:17.137887 IP 10.200.40.132.3719 > firewall.localdomain.garcon: Flags [S], seq 2620897957, win 64240, options [mss 1460,nop,nop,sackOK], length 0
           0x0000:  4500 0030 14f2 4000 8006 7f0e 0ac8 2884  E..0..@.......(.
           0x0010:  0ac8 28b4 0e87 03e7 9c37 baa5 0000 0000  ..(......7......
           0x0020:  7002 faf0 b81b 0000 0204 05b4 0101 0402  p...............
    18:18:23.035880 IP 10.200.40.132.3718 > firewall.localdomain.garcon: Flags [S], seq 3760235677, win 64240, options [mss 1460,nop,nop,sackOK], length 0
           0x0000:  4500 0030 1509 4000 8006 7ef7 0ac8 2884  E..0..@...~...(.
           0x0010:  0ac8 28b4 0e86 03e7 e020 a49d 0000 0000  ..(.............
           0x0020:  7002 faf0 8a3b 0000 0204 05b4 0101 0402  p....;..........
    

    View from xn1 (wan)
    All comes ok but nothing come back to the origin:

    tcpdump -i xn0 -X
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on xn0, link-type EN10MB (Ethernet), capture size 262144 bytes
    18:14:50.196251 IP 10.200.40.132.3700 > 192.168.50.4.garcon: Flags [S], seq 3002                        33689, win 64240, options [mss 1460,nop,nop,sackOK], length 0
           0x0000:  4500 0030 116e 4000 7f06 c461 0ac8 2884  E..0.n@....a..(.
           0x0010:  c0a8 3204 0e74 03e7 11e5 33d9 0000 0000  ..2..t....3.....
           0x0020:  7002 faf0 0a1d 0000 0204 05b4 0101 0402  p...............
    18:14:50.451634 IP 10.200.40.132.3701 > 192.168.50.4.garcon: Flags [S], seq 3765                        036906, win 64240, options [mss 1460,nop,nop,sackOK], length 0
           0x0000:  4500 0030 117d 4000 7f06 c452 0ac8 2884  E..0.}@....R..(.
           0x0010:  c0a8 3204 0e75 03e7 e069 e76a 0000 0000  ..2..u...i.j....
           0x0020:  7002 faf0 8805 0000 0204 05b4 0101 0402  p...............
    18:14:53.294009 IP 10.200.40.132.3700 > 192.168.50.4.garcon: Flags [S], seq 3002                        33689, win 64240, options [mss 1460,nop,nop,sackOK], length 0
           0x0000:  4500 0030 119f 4000 7f06 c430 0ac8 2884  E..0..@....0..(.
           0x0010:  c0a8 3204 0e74 03e7 11e5 33d9 0000 0000  ..2..t....3.....
           0x0020:  7002 faf0 0a1d 0000 0204 05b4 0101 0402  p...............
    18:14:53.294044 IP 10.200.40.132.3701 > 192.168.50.4.garcon: Flags [S], seq 3765                        036906, win 64240, options [mss 1460,nop,nop,sackOK], length 0
           0x0000:  4500 0030 11a0 4000 7f06 c42f 0ac8 2884  E..0..@..../..(.
           0x0010:  c0a8 3204 0e75 03e7 e069 e76a 0000 0000  ..2..u...i.j....
           0x0020:  7002 faf0 8805 0000 0204 05b4 0101 0402  p...............
    


  • OK thanks. Can you please describe your problem again? I don't really understand. You're saying you have a server on WAN that you want to forward to LAN?? That's backwards from what people normally do. LAN has full access everywhere by default, so you don't need to do anything for them to access some server on WAN.

    Is your WAN a private or public network?



  • @KOM Ok thanks, Yes I need to forward LAN ip to the WAN ip. Wan are internal and lan are external (are not the normal case..)
    If I go from the console I reach the destination WAN ip ok.. WAN ip of pfsense 192.168.50.21 and the host 192.168.50.4 (in the same network) haved telnet and goes ok come back the package. But If I want to forward it I can´t :(


  • LAYER 8 Global Moderator

    @fakauy said in Port forwarding problem:

    Wan are internal and lan are external (are not the normal case..)

    What??? Doesn't work that way... Please draw your network.. Wan is the network used to get to "other" networks... not the LAN...



  • Like John said, that's really messed up unless there is something else we don't know. Can you post screens of your WAN and LAN rules?


  • LAYER 8 Global Moderator

    Don't matter what is wan or lan rules are...

    He can call it whatever he wants or label them whatever he wants... Pfsense will consider an interface with a gateway on it wan.. And interface without a gateway a "lan" it nats traffic from its lan to its wan..

    You can label them whatever you want in pfsense - label doesn't mean anything..

    He needs to draw up this network and where his clients on whatever network attached to pfsense point to for their gateways.



  • Ok maybe doing the change of wan as internalrules.jpg


  • LAYER 8 Global Moderator

    So devices on this "lan" network point to pfsense to get off whatever this lan network is?? 192.168.1/24 would be pfsense default.

    You don't need to forward to get to any other network, since that rule right there on the top below the anti-lock lets you go wherever you want.

    Pfsense out of the box will nat this traffic to what the WAN IP is..



  • @johnpoz said in Port forwarding problem:

    ill consider an interface with a gateway on it wan.

    pfsense LAN ip 10.200.40.180
    pfsense WAN ip 192.168.50.21

    Want to reach 192.168.50.4 port 999
    I go to the console in pfsense and do telnet 192.168.50.4 999 comes ok..
    I want to hit the 10.200.40.180:999 and go to the 192.168.50.4:999
    Nothing more..



  • @johnpoz said in Port forwarding problem:

    an call it whatever he wants or label them whatever he wants..
    routes.jpg


  • LAYER 8 Global Moderator

    Your wan is that 10.200.40/24

    Where is your 192.168.50/24 network connected??

    Says its connected to xn0, that just some opt off pfsense, you don't need a port forward to get there, your lan rules allow it... But if devicese on 192.168.50 don't point back to pfsense as there gateway they wouldn't get back unless you source nat or host route on the dest device in the 192.168.50 network

    This is part of the reason you should DRAW your network.



  • @johnpoz said in Port forwarding problem:

    since that rule right there on the top below the anti-lock lets you go wherever you want.

    No wan its 192.168.50.21 and its internal, reach fine the other host on the network.. ping 192.168.50.4 (the gateway are fine)
    From console:

    PING 192.168.50.4 (192.168.50.4): 56 data bytes
    64 bytes from 192.168.50.4: icmp_seq=0 ttl=63 time=5.185 ms
    
    telnet 192.168.50.4 999
    Trying 192.168.50.4...
    Connected to 192.168.50.4.
    Escape character is '^]'.
    

    Now want to access from 10.200.40.132 (other host in the LAN network to the ip of the Pfsense 10.200.40.180 and redirect the port 999 to the WAN ip 192.168.50.4:999.


  • LAYER 8 Global Moderator

    Dude if you want Help then draw up this network and show all your routes...

    You have a 192.168.50 connected to xn0 -- what you want to call it doesn't mean anything... Its not wan to pfsense, pfsense wan as you showed the routes is is the 10.200.40 network - since there is where the default route is pointing to.

    10.200 is not LAN to pfsense, pfsense default route is to 10.200.40.254.. That is where pfsense will send traffic to if not directly attached..

    So again DRAW up your network..

    we know that 10.200.40 is attached to xn1, and 192.168.50 is attached to xn0

    Pfsense default route is to 10.200.40.254... So that is pfsense WAN..



  • @johnpoz said in Port forwarding problem:

    what you want to call it doesn't mean anything...

    @johnpoz I haved posted all the routes.. You mean I need one default gw on the wan to do this?



  • @johnpoz You mean I need to change WAN for Lan and LAN for wan?


  • LAYER 8 Global Moderator

    pfsense WAN is the network that allows you to get to other networks, this is normally the internet, but it could also be another internal network... Your default gateway on pfsense is pointing to 10.200.40.254... This is the WAN network to pfsense.

    This other network attached to xn0 192.168.50.0/24 is pfsense LAN..

    If you want devices that reside on this wan network to get to 192.168.50, then you would port forward on wan and point to the lan devices. Devices on wan would have to hit pfsense WAN IP...

    If you want devices on lan to get to wan IPs then the default lan rules allows this.. And outbound nat would nat to this 10.200.40 address pfsense.

    Your problem could be if you port forward from wan to lan, is if clients on lan 192.168.50 are not using pfsense for their gateway, they would not know how to get back to this 10.200.40 network.

    Your problem with lan talking to wan 10.200.40, could be if you turned off natting, and those devices would not know how to get back to 192.168.50

    This is your network right?
    network.png

    Other devices on 10.200.40 use .254 as their gateway right..
    And devices on 192.168.50 use pfsense as their gateway .21 right.. This is pfsense LAN!!

    10.200.40 is pfsense WAN!!

    If you have it pfsense the other way around, then its BORKED!!! Setup pfsense wan interface to be your 10.200.40.180 (gateway set to 10.200.40.254) and LAN to be 192.168.50.21 (no gateway set)



  • So in the 192.168.50.4 i have:
    Destination Gateway Genmask Flags Metric Ref Use Iface
    192.168.50.0 192.168.50.1 255.255.255.0 UG 0 0 0 eth0
    192.168.50.0 * 255.255.255.0 U 0 0 0 eth0
    10.200.40.0 * 255.255.255.0 U 0 0 0 eth1
    default 10.200.40.254 0.0.0.0 UG 0 0 0 eth1


  • LAYER 8 Global Moderator

    Huh??

    So you have a multi homed device in 192.168.50???

    What device is this
    192.168.50.1

    Dude DRAW your MESS!!!



  • Yes it can be reached directly by the 10.200.40 network.. maybe I need to add the route of the pfsense ip in the eth0 even If I have all the net 192.168.50.0 on this interface?


  • LAYER 8 Global Moderator

    What.... OMG dude sounds like you have a real freaking cluster F.... Why do you have a multi homed device... And it has a interface in the 192.168.50 network, its sure and the F does not need a gateway to get to the 192.168.50 - which is what your showing at 192.168.50.1

    I would love to help you straighten your mess out... But can not help you without understand the full scope of your mess and what your trying to accomplish.



  • @johnpoz said in Port forwarding problem:

    nd it has a interface in the 192.168.50 network, its sure and the F does not need a gateway to get to the 192.168.50 - which is what your showing at 192.168.50.1

    The 192.168.50.1 it´s another host in the 50 network as a gw.
    This doesn´t matter even when I have the 192.168.50.0 pointing to the interface.. all the related and established by directly connected network doesnt need the GW..



  • @johnpoz TheScope of forward wanted IS
    10.200.40.132 (outgoing port) > 10.200.40.180(pfsense) port 999 (xn1) > forward(nat) 192.168.50.4:999 xn0
    As can you see in the tcpdump the packages are not nated are come to the 192.168.50.4 as 10.200.40.132 and back by the default gw in the eth1 as you can see in the route table of the 192.168.50.4 host.


  • LAYER 8 Global Moderator

    @fakauy said in Port forwarding problem:

    10.200.40.132 (outgoing port) > 10.200.40.180(pfsense) port 999 (xn1) > forward(nat) 192.168.50.4:999 xn0

    Here is where you going to have a problem... Your .4 host has an interface in 10.200.40 so he will answer back via his other connection.

    asymet.png

    You would have to source nat it to the 192.168.50.21 address if you want .4 to send it back to pfsense...

    Pfsense doesn't nat port forwards, only outbound nats..

    Why would you want to hit 192.168.50.4 when you can just hit on its 10.200.40 address?

    Your clients going not going to accept such an answer... because they sent it to 10.200.40.180, why would 10.200.40.x be sending me an answer, etc. etc.



  • @johnpoz said in Port forwarding problem:

    Why would you want to hit 192.168.50.4 when you can just hit on its 10.200.40 address?

    The 10.200.40 address its from one interface that´s need to be clear of traffic in this host (192.168.50.4)



  • @johnpoz I haved tested of remove this interface in 192.168.50.4 and didnt work.


  • LAYER 8 Global Moderator

    Then you have to source nat..

    The network makes ZERO sense.. .What exactly are you wanting to accomplish, once you multihome a device and put interfaces in networks on each side of a firewall - you basically make that firewall pointless.


  • LAYER 8 Global Moderator

    What??? Removed what interface? The 200, then trouble shoot your port forward.. You did on pfsense WAN?

    Did you change the .4 box to point to .21 as its default gateway? If not it wouldn't know how to get back to the 10.200



  • @johnpoz said in Port forwarding problem:

    You did on pfsense WAN?

    No only Haved tested to remove the 10.200 interface on the 192.168.50.4 and now I pointed a static route.. in this host..
    Now looks:
    Destination Gateway Genmask Flags Metric Ref Use Iface
    10.200.40.132 192.168.50.4 255.255.255.255 UGH 0 0 0 eth0
    192.168.50.0 192.168.50.1 255.255.255.0 UG 0 0 0 eth0
    192.168.50.0 * 255.255.255.0 U 0 0 0 eth0
    10.200.40.0 * 255.255.255.0 U 0 0 0 eth1
    default 10.200.40.254 0.0.0.0 UG 0 0 0 eth1



  • @fakauy This didnt work.


  • LAYER 8 Global Moderator

    Why and the F would you think that would work... It still has its 10.200.40.x interface..

    If you want this to work while the box still has a 10.200 interface then you have to SOURCE nat it at pfsense.. Period, end of story..

    Or you have to talk to it on its 10.200 interface..


Log in to reply