WebDav From Router through Firewall

Nasten · Aug 21, 2021, 8:24 PM

Hi,
iam currently trying to set up my WebDav-Access behind my firewall. I need to forward port 5006. The Server is found via DynDNS (handled by synology).
I uploaded the NAT rules I made (erased the actuall IPs ofc).
If you have any guidance for my newbe self, I am happy to learn.
Router(AVM)--->PfSense---->WebDav

viragomann · Aug 24, 2021, 6:48 PM

@nasten
You have to forward the traffic on the router to pfSense WAN and on pfSense to the WebDAV server.

Sou on pfSense you only need a single NAT rule:
interface: WAN
destination: WAN address, port: 5006
redirect: WebDAV server, port: 5006

The NAT rule on LAN is useless.

On the router you have to set pfSense as "exposed host" or DMZ.

Nasten · Aug 24, 2021, 6:48 PM

@viragomann
I changed my rule and set my FW as exposed host. but it does not seem to work:

viragomann · Aug 24, 2021, 7:08 PM

@nasten
Use Diagnostic > Packet Capture while you try to connect from outside to check whether the packets arrive on pfSense WAN interface at all.

Nasten · Aug 24, 2021, 7:55 PM

@viragomann I send you a capture.

johnpoz · Aug 24, 2021, 8:04 PM

^ exactly... That really is step 1, if your port forward isn't working... Nothing you do in pfsense will make any difference if the traffic is never getting to pfsense to be able to forward it.

So if its not working, 1st thing to validate is traffic actually gets to pfsense.

You can use can you see me . org to test that it gets there.. And that is working even..

your port 5006 for example Webdav normally would just run on 443... But whatever tcp port your wanting to test/use.. So using your 5006..

Setup a packet capture on my wan for port 5006, then went to can you see me . org and tested to 5006.. While I knew it would fail, since I don't have anything forwarded on that port.. I can validate via my packet capture that traffic actually got to pfsense wan..

login-to-view

btw: How exactly are you testing that this is working or not.. You really need to be testing from outside.. Trying to hit your wan IP from a client on your network to test if your port forward is not valid, and would require nat reflection.. And if your double natted, that would even complicate it more, etc.

Nasten · Aug 26, 2021, 10:47 AM

@johnpoz @viragomann

my Capture:
12:42:16.553067 IP someip.33190 > IPWebDavServer: tcp 0
12:42:17.583569 IP someip.33190 > IPWebDavServer: tcp 0
12:42:19.599888 IP someip.33190 > IPWebDavServer: tcp 0
12:42:23.631526 IP someip.33190 > IPWebDavServer: tcp 0
12:42:31.822622 IP someip.25376 > IPWebDavServer: tcp 0

Testest with RaiDrive from externel network via internet (i use synology nas).

johnpoz · Aug 26, 2021, 11:10 AM

Where did you do that sniff? Is that pfsense wan? While you show the source port from the someip? You don't show the destination port?

If that is your wan, now sniff on the lan side of pfsense - if its sending the traffic to your nas IP.. Then pfsense is doing what you told it to do.. If your nas doesn't answer - then that is on your nas.. Its firewall maybe? Wrong port? Maybe webdav not even running, etc.

here: I created the forward to my nas, not running webdav, and nothing else listening on 5006.. Then did the same test from can you see me..

Sniffing on the local side of pfsense interface that my nas (192.168.9.10) is connected to you can see pfsense sent the traffic on... But my nas said FU, and sent a RST - connection closed! Because nothing listening on that port.

login-to-view

Port forwarding is working, pfsense clearly sent the traffic on to my nas.. But still not going to work because not running it, but you can see my nas rejected the connection.

If your not getting an answer, firewall on the nas maybe just dropped it.. Maybe your not forwarding to the correct IP? etc.. But pfsense did what I told it too..

Nasten · Aug 26, 2021, 11:18 AM

Indeed, sorry. It arrived at webdav 5006 and i sniffed on wan. I figured the Problem out. Synology need ports 5000 and 5001 aswell to be forwarded. So my NAT was fine just not complete. Thanks for your guidance, it helped me alot.

johnpoz · Aug 26, 2021, 4:32 PM

@nasten said in WebDav From Router through Firewall:

Synology need ports 5000 and 5001 aswell to be forwarded

That is a freaking HORRIBLE idea - just horrible... Have you not been reading about all the synology issues of late?

https://www.synology.com/en-global/company/news/article/BruteForce/Synology%C2%AE%20Investigates%20Ongoing%20Brute-Force%20Attacks%20From%20Botnet

There should be no reason to expose those ports for webdav, doesn't make any sense.

Nasten · Aug 26, 2021, 4:32 PM

@johnpoz
No I did not catch that. I think I'll remove that ports for synology for now. I Could set up my vpn on pf sense so no need for webdav anymore. But was a good task to learn some new stuff.

johnpoz · Aug 26, 2021, 5:31 PM

VPN is much better way to access your resources from remote for sure ;)