Need help creating my first port forwarding rule as it doesn't work.



  • I am new to pfSense, and am trying to make my first port forwarding rule. And it didn't work. I am trying to forward 443 from internet to my local server through pfsense. As a debug, i also connected to the WAN side subnet, and tried to connect to pfsense_wan:443, but it did not get forwarded to server on the inside. I also did packet capture from pfSense, and can see the packets on the WAN side, and on the LAN side, but don't get a response. I can also get to server on pfsense terminal.

    Any help?
    Here is the debugging I have done so far.

    1. Tried accessing from internet, didn't work.
    2. Tried accessing from WAN subnet, didn't work.
    3. Did packet capture, and see the packets reaching pfSense
    4. And on LAN side see them getting sent to server, but not sure I am getting the response.
    5. In System Logs->Firewall I don't see connection getting rejected to/from that server.

    Not sure images are uploading for me, so here is imgur link: https://imgur.com/a/hyudPxc

    ![0_1600129475958_Screenshot 2020-09-14 201724.png](Uploading 100%)
    ![0_1600129519608_Screenshot 2020-09-14 201757.png](Uploading 100%)



  • Do you get out to the internet from the destination server?

    Possibly the host blocks access from outside its subnet. You can investigate that by using Diagnostic > Ping on pfSense. Enter the destination hosts internal IP and try to ping with the default source, then change the source to WAN and try again. If the second test fails the host doesn't allow access.


  • LAYER 8 Global Moderator

    @LakeWorthB said in Need help creating my first port forwarding rule as it doesn't work.:

    And on LAN side see them getting sent to server, but not sure I am getting the response.

    Because the server has a firewall as mentioned by @viragomann but clearly this is not pfsense.

    Did you validate the server is even listening on the port your sending, or that your forwarding to the correct IP?

    If pfsense sends traffic on to the IP you told it to in the forward, and there is no response - there is nothing pfsense can do about this.

    This is all laid out in the troubleshooting doc, which clearly someone hasn't even looked at

    https://docs.netgate.com/pfsense/en/latest/nat/port-forward-troubleshooting.html

    Did you actually validate the server is getting it - for all we know this server is behind yet another nat?



  • @johnpoz Yes I can do curl -k https://internal_server on the pfsense terminal and it works, so wouldn't this mean it is not a firewall issue? And I did read the troubleshooting guide, but nothing stood out for me, except for the "Diagnostics > States" section, as I didn't see any states with that would apply for this.


  • LAYER 8 Global Moderator

    No because that would be using pfsense local/lan IP as the source - ie the same as the servers network.



  • Thanks @viragomann and @johnpoz I am getting closer. The first problem was i had changed the gateway address, but that server wasn't using DHCP, so it had the wrong gateway so couldn't get back. So now I can connect to server from the WAN subnet, but still not from the Internet.

    If look at the firewall log, I see something like Sep 15 20:51:09 WAN Default deny rule IPv4 (1000000103) 4.79.142.206:33924 192.168.2.2:443TCP:S So it looks like when it comes in from Internet it is getting blocked by the pfSense firewall.

    Now I look at the rules, and see the automatically generated one, but it doesn't makes sense to me, but seems like what everyone has, whereas the source/port is *, and the destination is the local server ip/port. But from the firewall log, it seems to be blocking because destination is the WAN address. Why isn't the automatically generated rule, "allow packets with source *, and destination WAN address:443?"



  • @LakeWorthB
    No idea how you these packets are directed to 192.168.2.2. Your NAT rule in the screenshot shows a total different internal IP. So you may have other NAT rules, we don't know.
    So post all your actual rules and tell us the internal IP of your server, please, otherwise there is no way to get closer.



  • @viragomann Thanks, I finally found the last problem, there was an old NAT rule on my model/router, which was redirecting 80/443. Thanks for your guys help. It is working now.


Log in to reply