Can't do a basic port forward
-
Hi,
I can't get a basic port forward working on my Netgate SG-1100.
I'm trying to create a RDP rule to my PC to work over the internet. I know using a VPN is a better way to do this, however I just want to get this working first.I've created a rule
I've disabled my windows firewall.
From a device outside the network I try to do a telnet test to my public IP address and 3389, but it fails.
I can connect to 3389 internally on the LAN.
I have followed the port forwarding guide and the troubleshooting guide to no avail.
https://docs.netgate.com/pfsense/en/latest/nat/forwarding-ports-with-pfsense.html
https://docs.netgate.com/pfsense/en/latest/nat/port-forward-troubleshooting.htmlI could get this working on my past basic router.
I have a firewall rule in place (automatically created).
I've turned on the firewall rule logging, however nothing comes up in the logs.I've watched online videos on how to do this, and I'm doing all the basics.
What am I doing wrong?
-
Packet capture?
If the packet never reaches your WAN interface, how would you be able to forward it to your internal host? -
That's true, how would I go about seeing where it breaks down? I turned on ICMP pings on the firewall, and couldn't ping it from an internet device. I'm not sure if there's some broader setting blocking it. I have it running at factory defaults and only have a few settings enabled. I just got the device and could even do a factory reset if that'd help, though I don't think I've put anything in place to cause the issue.
-
@Glaz0n4 said in Can't do a basic port forward:
and couldn't pin
Are you in double-nat scenario or you have a public IP address in your WAN interface?
If it's a RFC1918, you would need to configure the router in front of your pfsense device. -
I have a public IP address on the WAN port it's a 100.x.x.x address.
The connection goes netgate/pfsense (192.168.1.1) > switch (bridge mode (192.168.1.100) > PC (192.168.1.65)
The Netgate/pfsense device is the only router in the setup. -
Good.
So you should be able to see incoming packets reaching the WAN interface.Set up a packet capture, port 3389 TCP, go to canyousee.org and check if you see something hitting there, that would be the first step to troubleshoot it, ok?
You can perform the packet capture through the GUI or through tcpdump.
Edit:
https://canyouseeme.org/ is the correct address -
When I go to https://canyouseeme.org/ it has my IP address as 121.x.x.x instead of what it actually it 100.x.x.x
I tried checking port 3389 there which didn't work. I can't change the IP to my correct IP.Does the fact that it's populating 121.x.x.x mean something else is wrong?
My ISP insists you simply connect any router with DHCP and it'll auto configure, I don't have do do any custom configuration or anything. I don't have a modem or anything like that, it's ethernet into a NTU, which goes into fiber.
-
That website canyouseeme.org gets your source IP automatically, I guess that is the problem and the reason you don't see any hits in the firewall rule or the packet capture.
You can check that through other sites, just type in google, what is my ip address and you will be able to confirm that.
That is kind of strange because you should be seeing your pfsense WAN IP address there..
-
I've gone to: https://www.yougetsignal.com
It too has the 'other' IP address, but I changed it to my WAN IP and tried again on 3389, it says it's closed :/ -
I'm just reading my ISP uses CGNAT by default, I'm still reading, but I wonder if that could be the issue.
-
It's because somehow you have another router there, with that 121.x.x.x, in which you should configure that port forward as well.
Could that be the ISP modem? If that is the case, have you tried to configure it in bridge mode?
In case you can't, try to access it and setup the port forward there as well -
@Glaz0n4 Yes, that is the problem, CGNAT sucks
-
Ah sweet, thanks :)
Apparently you can get them to disable it.
I wonder if it's cost cutting or something, they are actually a really good ISP.
My 'regular' wifi/router device worked fine.
Thanks for your help again, really appreciate the fast response.
-
@Glaz0n4 You are welcome :)
-
If your ISP get you a good IPv6, you can try to build a VPN Tunnel, and then you can route your private IPv4 through it.
-
@Glaz0n4
you mention this in your description
"I know using a VPN is a better way to do this, however I just want to get this working first."The RDP is no longer explicitly recommended, just an example:
https://www.welivesecurity.com/2019/12/17/bluekeep-time-disconnect-rdp-internet/
-
Thanks for the heads up.
I got this working earlier today and could connect over 3389 directly. I then deleted the rule. I plan on doing this via a VPN and will set that up when I have some time. Open VPN seems a good way to do this. I'm about to start a job in security, so bought this device to learn more about networking and security. So it'll be a fun learning experiment!
-
OpenVPN is a completely good choice.
https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/openvpn-remote-access-server.html
https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/using-the-openvpn-client-export-package.htmlin the meantime, these can also be good temporarily:
https://www.teamviewer.com/ -free version
https://anydesk.com/en -free version@Glaz0n4
So it'll be a fun learning experiment! -
Hello!
I have similar problems with CGNAT at a couple of sites, but am able to get by with them running the client side of a site to site openvpn connection. This might not always be possible, so I was looking for other solutions.
I noticed that pfsense has a tinc package. It might be worthwhile looking into that and a MITM VPS as a way to address the CGNAT and secure remote admin issues.
Something like this :
https://ideaman924.com/2020/02/10/using-tinc-to-get-around-double-nat/
John
-
I was able to be removed from cgnat at no cost, so went that way :)