Port forwarding doesn't work anymore
I'm running a few servers (FTP, SSH, Apache etc.) behind a multi-wan solution. For the moment I haven't change the default webGUI port, so I have to access the servers through non-standart ports (for instance, I forward external port 8008 to the server's port 80). It used to work pretty well…The problem is, that pfSense doesn't seem to accept NAT changes anymore, and the existing rules seem disabled.
Whatever rules I delete/create, pfSense blocks the ports...that's not a firewall issue, I created very transparent rules.
Moreover, some ports are seen open thanks to an external port scan, whereas they shouldn't...for instance trying to access the hosting computer on port 8000 displays a blank page (no source at all) on every web browser.
Any ideas? This crap is starting to drive me nuts!
I am new to pfsense and this probably isn't your problem but I'll put it out there.
Then go to firewall > rules, not NAT and make sure they are pointing to the right thing.
Yes they are. Even with "allow all" style rules it doesn't work.
You don't mention which version of pfsense you are using or what of any packages are installed.
Whooops, that's true, my mistake. Version is 1.2.1 with imspector, snort and ntop packages.
My first thought is that your port has somehow appeared on Snorts hit list, you don't make it totally clear if you can still access the webgui through the port 8008 since you mention blank screens from port 8000 on every browser - shouldn't this be port 80 since your machines are inside the local LAN.
The best way to determine what is going on is to make sure that you have a syslog daemon running somewhere and pass the syslog info from pfSense to it (I currently use Kiwi syslog) then in combination with this look into the debug log you can then check the rules in the rules.debug log against the results in the syslog report - the rules.debug file was a great tip that I got from Jimp, to get into it go to diagnostics > edit file and enter /tmp/rules.debug once displayed you can do a ctrl-c and paste it into your editor of choice. This will at least tell you if it is pFSense doing the blocking or passing.
Aside from checking that you haven't inadvertantly bridged the wrong NIC's I would check your firewall rules / Aliases if you use them and your virtual IP's pretty carefully.
I have had problems with snort. Basically after I installed it something started blocking valid traffic for which I had a 'pass' rule and essentially took our e-mail and website offline for damn near a day before I realized it had happened, my forwarding was fine before snort and it is now fine again with out snort but the same identical virtual IP's and firewall rules no snort was definately the culprit, so am reluctant to put it back into service (because I'm not here next week if it goes belly up again).
Can't say much about the other packages as I don't use them, all my packet capture is done externally using a dedicated Observer 11 machine as and when needed.
Looks like snort was causing all the mess, I shut it down and now everything is okay. However this isn't a solution, I really need snort. Any ideas? I really can't find any rules which would block traffic…