Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Newbee: Port forwarding not working

    Scheduled Pinned Locked Moved General pfSense Questions
    20 Posts 5 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bforpcB
      bforpc
      last edited by

      Hi there,

      i have install a new virtual pfsense. 2 Nics, 1 wan, 1 Lan. Very easy.
      Internet is working (but slower than with the old ipfire Firewall before (i dont know why)), but my problem is the port forwarding.
      Wahtever i do, it does not work. YES, i had read many tutorials und youtube videos, how to do that. It sound easy.
      But it does not work. Maybe i do something wrong in general.

      So my question is: After install and set/assing IP's to the 2 Interfaces (and had Internet up and running): What i need to do, to have a Port forwarding from wand (Internet) port 22222 to an internal linux Server at ip 192.168.1.1:22
      Thats all i like to have.

      Bfo

      V GrimetonG Bob.DigB 3 Replies Last reply Reply Quote 0
      • V
        viragomann @bforpc
        last edited by

        @bforpc said in Newbee: Port forwarding not working:

        Wahtever i do, it does not work. YES, i had read many tutorials und youtube videos, how to do that. It sound easy.
        But it does not work.

        So you have to provide more details.

        Show a screenshot of your NAT rule.
        Do you allow the access to the internal device, either by the NAT rule or by an associated or unassociated firewall rule?

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          Yeah what have you setup so far? Posts screenshots so we can review them.

          https://docs.netgate.com/pfsense/en/latest/book/nat/port-forwards.html#adding-port-forwards

          Steve

          1 Reply Last reply Reply Quote 0
          • bforpcB
            bforpc
            last edited by

            Hello,

            here are the nat & rule screenshot
            Bildschirmfoto vom 2020-02-11 08-36-05.png Bildschirmfoto vom 2020-02-11 08-35-30.png
            Hope it helsp.
            Everything else are "standard and not changed".

            Bfo

            1 Reply Last reply Reply Quote 0
            • GrimetonG
              Grimeton @bforpc
              last edited by

              @bforpc NAT also heavily relies on routing.Make sure your routing is fine.

              1 Reply Last reply Reply Quote 0
              • bforpcB
                bforpc
                last edited by

                Hi Grimeton,

                im a newbee with pfsense. So what and where i setup this correctly to access a server from Internet over pfsense in my intranet?

                Bfo

                1 Reply Last reply Reply Quote 0
                • V
                  viragomann
                  last edited by

                  The NAT and firewall rules seem to be okay.
                  Ensure that the destination device responses to SSH access from the internet.
                  You may use the Packet Capture tool from the Diagnostic menu to investigate. Take a capture on the LAN while you try SSH from WAN to see if packets are natted as expected and if you get responses from that device.

                  1 Reply Last reply Reply Quote 0
                  • Bob.DigB
                    Bob.Dig LAYER 8 @bforpc
                    last edited by

                    @bforpc said in Newbee: Port forwarding not working:

                    192.168.1.1

                    And sure that your linux machine is 192.168.1.1 and not pfSense? How is your network setup?

                    1 Reply Last reply Reply Quote 0
                    • bforpcB
                      bforpc
                      last edited by bforpc

                      Yes im absolute sure about the ip adresses.
                      The hole intranet is working for long time with ipfire and access via ssh to 192.168.1.1 (this is the VM Host). Ipfire is off and out. pfsense has 192.168.1.101/24 as lan interface.

                      Bob.DigB 1 Reply Last reply Reply Quote 0
                      • Bob.DigB
                        Bob.Dig LAYER 8 @bforpc
                        last edited by Bob.Dig

                        @bforpc Do you try to connect from inside or from outside?
                        Obviously you do something wrong, but it is hard to guess. 😉

                        1 Reply Last reply Reply Quote 0
                        • bforpcB
                          bforpc
                          last edited by

                          of corse, I trying from outside :-)
                          Packet capture show me this (in this test i use wan:1022 to Lan:22)

                          12:56:05.508511 IP [public ip client].60954 > [public ip pfsense].1022: tcp 0
                          12:56:05.508667 IP [public ip pfsense].1022 > [public ip client].60954: tcp 0
                          12:56:06.242282 IP [public ip pfsense].1022 > [public ip client].60950: tcp 0
                          12:56:06.523324 IP [public ip client].60954 > [public ip pfsense].1022: tcp 0
                          12:56:06.523411 IP [public ip pfsense].1022 > [public ip client].60954: tcp 0
                          12:56:07.554284 IP [public ip pfsense].1022 > [public ip client].60954: tcp 0
                          

                          So it looks like, there are requests on pfsense...

                          Bfo

                          1 Reply Last reply Reply Quote 0
                          • V
                            viragomann
                            last edited by

                            So pfSense sends out responses back to the client again. Seems everything is fine so far and your problem is not due to pfSense.
                            What's the output on the client when trying to connect?

                            1 Reply Last reply Reply Quote 0
                            • bforpcB
                              bforpc
                              last edited by bforpc

                              This is the output at the internet client

                              ssh -v -p1022 [public ip of pfsense]
                              OpenSSH_7.9p1 Debian-10+deb10u2, OpenSSL 1.1.1d  10 Sep 2019
                              debug1: Reading configuration data /root/.ssh/config
                              debug1: Reading configuration data /etc/ssh/ssh_config
                              debug1: /etc/ssh/ssh_config line 19: Applying options for *
                              debug1: Connecting to [public ip pfsense] port 1022.
                              

                              and thats it ...

                              From pfsense i test the port:
                              Bildschirmfoto vom 2020-02-11 13-24-05.png

                              Bfo

                              bforpcB 1 Reply Last reply Reply Quote 0
                              • bforpcB
                                bforpc @bforpc
                                last edited by

                                @bforpc

                                additional info:
                                If i run on 192.168.1.1 tcpdump and simultaneously try ssh from outside to pfsense:
                                ~:tcpdump -i vmbr0 "src host 192.168.1.101" and "dst port 22"

                                tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
                                listening on vmbr0, link-type EN10MB (Ethernet), capture size 262144 bytes
                                ^C
                                0 packets captured
                                1 packet received by filter
                                0 packets dropped by kernel
                                1 packet dropped by interface
                                

                                Nothing is comming from pfsense.
                                So it must be a pfsense conffiguration, in detail, it must be a blocking rule.
                                But where?
                                And again: Pfsense is right from scratch installed. Only IP Assigments to the interfaces.
                                I think, my question is not more then an absoltly basic thing!?

                                bfo

                                Bob.DigB 1 Reply Last reply Reply Quote 0
                                • GrimetonG
                                  Grimeton
                                  last edited by

                                  Incoming connections from the outside on the WAN interface are blocked.

                                  Open up the port so that it becomes available.

                                  Cu

                                  bforpcB 1 Reply Last reply Reply Quote 0
                                  • Bob.DigB
                                    Bob.Dig LAYER 8 @bforpc
                                    last edited by

                                    @bforpc is pfSense directly connected to the internet or what means outside.

                                    bforpcB 1 Reply Last reply Reply Quote 0
                                    • stephenw10S
                                      stephenw10 Netgate Administrator
                                      last edited by stephenw10

                                      The source will still be the external public IP you're testing from if you pcap on the target host. Not the pfSense LAN IP.
                                      I would not expect to see any traffic there.

                                      Try doing the port test to 192.168.1.1 in pfSense but set the source IP to the WAN address.

                                      The target should still show as open. If it does not then the target is refusing connections from outside it's subnet. That may have worked previously if IPFire was source NATing the traffic as it left the LAN.

                                      Steve

                                      1 Reply Last reply Reply Quote 0
                                      • bforpcB
                                        bforpc @Bob.Dig
                                        last edited by bforpc

                                        @Bob-Dig
                                        Yes. it is directly connected to the internet (it gets the public ip via dhcp).

                                        1 Reply Last reply Reply Quote 0
                                        • bforpcB
                                          bforpc @Grimeton
                                          last edited by

                                          @Grimeton

                                          How?

                                          1 Reply Last reply Reply Quote 0
                                          • bforpcB
                                            bforpc
                                            last edited by bforpc

                                            I found the Problem:

                                            At the proxmox hosting platform, there was an option, to pass the traffic through the Host firewall (what was disabled).
                                            Therefore - pfsense has done everything right. After disabling this flag everything works like expected.

                                            THX for your support!!!

                                            Bfo

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.