Port forwarding requiring separate outbound rule. Turning off port forward doesnt work. My firewall is broke... Help!
-
I am far from a network expert but great at following tutorials etc. My network consists of one WAN, a LAN, and a VLAN. I am not worried about the devices on the LAN communication with one another and also have a sever on the LAN. The VLAN consists of my kids devices and all smarthome devices. Some devices on either network needs to contact devices on the other such as a printer on the VLAN and them watching media on the LAN.
Both the LAN and VLAN have the ability to have devices go out through a VPN connection via selective routing aliases. I also have rules so devices going out through the VPN have an open NAT connections.
At this point I have no many random things I have followed a lot of the rules confuse me how they work now and I have a problem I have put around 20 hours into and cant figure out a solution for.
When I create a simple port forwarding rule for an Ark: Survival Evolved server, allow it to create the associated interface rules, it somehow doesn't work. When I go and try to connect to the server from an external device it cannot connect to it. The logs wont show any sign of it being blocked. 20 hours of troubleshooting, scratching y had changing things, breaking other aspect and changing things back, and lastly resetting the firewall as a whole and restoring from back-up I found a solution.. I am able to create an outbound NAT rule for the specific port I need and it works fine.
TLDR: I create a port forward and still cant connect, have plenty of others that work fine. If I create an outbound NAT rule as well it work. Why do I have to create an outbound NAT rule now for some select port forwards while other that have been there work? If I pause an existing port forwarding rule I can still ping that rule after clearing the states and rebuilding the rules as well. Doesn't make sense to me....
Here's some associated screenshots.
-
Basically pfSense creates automatically the WAN outbound NAT rules in hybrid mode for all internal networks.
However, maybe if you change your network settings, the outbound NAT gets not updatet.You screenshot doesn't show the automatically generated rules and I don't know your network settings, so I cannot verify. They should cover all your internal networks, the LAN and VLAN.
-
@viragomann thanks for the reply. Its actually normally set on full manual mode with all of the existing rules not including the hybrid auto rules at the bottom. I changed it to hybrid to try and get the Ark server through and when it didn't work forgot to change it back to manual. These are all of my rules. I basically took all of the auto generated ones and made sure each on existed for the WAN and VPNGATEWAY.
-
@wolfhunter1043 said in Port forwarding requiring separate outbound rule. Turning off port forward doesnt work. My firewall is broke... Help!:
Its actually normally set on full manual mode
Why? If you want to nat out your vpn, all that is needed is hybrid and add a outbound nat rule of your vpn interface. There is no need to do full manual.
-
@johnpoz the reason I had to go to full manual was an issue I was having with wifi calling and texts with Verizon phones on wifi. After a lot of searching found a various other people with the same issue and one solution that ended up working was full manual mode with all of the associated rules. I may have over done the rules as I don't fully understand but I mirrored the tutorial as best as I could for my setup. It did solve the issues with wifi calling and texts over wifi though.
-
@wolfhunter1043
Pretty many outbound NAT rules!
These ones for dest port 4500 with no static port are useless at all. You may have to enable static port in these. However, they are only needed for IPSec and I assume that you don't run IPSec over OpenVPN.
But that has nothing to do with your issue.What pfSense version are you running?
What shows Status > Gateways?
-
@viragomann Thank you, unfortunately most of those are foreign to me. I disabled the IPSec rules as I dont believe im using them then. If nothing breaks ill delete them. Here is my version and box info as well as gateway status.
I am on 2.6.0-DEVELOPMENT now however I was on the standard release software and tried the development one just to see if it helped.
-
@wolfhunter1043
Ok, I cannot see any reason, why this should not work.
If you access the Ark server from the Internet and your port forwardings and firewall rules are correct (don't know its requirements), you should succeed. That has nothing to do with outbound NAT.Since you might have multiple internal network segments, are you able to acsess the server from another network?