Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Need help creating my first port forwarding rule as it doesn't work.

    Scheduled Pinned Locked Moved NAT
    8 Posts 3 Posters 584 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      LakeWorthB
      last edited by LakeWorthB

      I am new to pfSense, and am trying to make my first port forwarding rule. And it didn't work. I am trying to forward 443 from internet to my local server through pfsense. As a debug, i also connected to the WAN side subnet, and tried to connect to pfsense_wan:443, but it did not get forwarded to server on the inside. I also did packet capture from pfSense, and can see the packets on the WAN side, and on the LAN side, but don't get a response. I can also get to server on pfsense terminal.

      Any help?
      Here is the debugging I have done so far.

      1. Tried accessing from internet, didn't work.
      2. Tried accessing from WAN subnet, didn't work.
      3. Did packet capture, and see the packets reaching pfSense
      4. And on LAN side see them getting sent to server, but not sure I am getting the response.
      5. In System Logs->Firewall I don't see connection getting rejected to/from that server.

      Not sure images are uploading for me, so here is imgur link: https://imgur.com/a/hyudPxc

      ![0_1600129475958_Screenshot 2020-09-14 201724.png](Uploading 100%)
      ![0_1600129519608_Screenshot 2020-09-14 201757.png](Uploading 100%)

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        Do you get out to the internet from the destination server?

        Possibly the host blocks access from outside its subnet. You can investigate that by using Diagnostic > Ping on pfSense. Enter the destination hosts internal IP and try to ping with the default source, then change the source to WAN and try again. If the second test fails the host doesn't allow access.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by johnpoz

          @LakeWorthB said in Need help creating my first port forwarding rule as it doesn't work.:

          And on LAN side see them getting sent to server, but not sure I am getting the response.

          Because the server has a firewall as mentioned by @viragomann but clearly this is not pfsense.

          Did you validate the server is even listening on the port your sending, or that your forwarding to the correct IP?

          If pfsense sends traffic on to the IP you told it to in the forward, and there is no response - there is nothing pfsense can do about this.

          This is all laid out in the troubleshooting doc, which clearly someone hasn't even looked at

          https://docs.netgate.com/pfsense/en/latest/nat/port-forward-troubleshooting.html

          Did you actually validate the server is getting it - for all we know this server is behind yet another nat?

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          L 1 Reply Last reply Reply Quote 0
          • L
            LakeWorthB @johnpoz
            last edited by

            @johnpoz Yes I can do curl -k https://internal_server on the pfsense terminal and it works, so wouldn't this mean it is not a firewall issue? And I did read the troubleshooting guide, but nothing stood out for me, except for the "Diagnostics > States" section, as I didn't see any states with that would apply for this.

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              No because that would be using pfsense local/lan IP as the source - ie the same as the servers network.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • L
                LakeWorthB
                last edited by

                Thanks @viragomann and @johnpoz I am getting closer. The first problem was i had changed the gateway address, but that server wasn't using DHCP, so it had the wrong gateway so couldn't get back. So now I can connect to server from the WAN subnet, but still not from the Internet.

                If look at the firewall log, I see something like Sep 15 20:51:09 WAN Default deny rule IPv4 (1000000103) 4.79.142.206:33924 192.168.2.2:443TCP:S So it looks like when it comes in from Internet it is getting blocked by the pfSense firewall.

                Now I look at the rules, and see the automatically generated one, but it doesn't makes sense to me, but seems like what everyone has, whereas the source/port is *, and the destination is the local server ip/port. But from the firewall log, it seems to be blocking because destination is the WAN address. Why isn't the automatically generated rule, "allow packets with source *, and destination WAN address:443?"

                V 1 Reply Last reply Reply Quote 0
                • V
                  viragomann @LakeWorthB
                  last edited by

                  @LakeWorthB
                  No idea how you these packets are directed to 192.168.2.2. Your NAT rule in the screenshot shows a total different internal IP. So you may have other NAT rules, we don't know.
                  So post all your actual rules and tell us the internal IP of your server, please, otherwise there is no way to get closer.

                  1 Reply Last reply Reply Quote 0
                  • L
                    LakeWorthB
                    last edited by

                    @viragomann Thanks, I finally found the last problem, there was an old NAT rule on my model/router, which was redirecting 80/443. Thanks for your guys help. It is working now.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.