Port Forwarding not working on ESXi

edbreay · Sep 2, 2021, 7:18 PM

I have a few port forwarding rules setup, neither working. Setup is this:

I also have a ICMP PASS rule

For any of these rules, I cannot connect to the IP addr - just get timeout.
Here is my setup in ESXi:
WAN Port Group connects WAN interface of pfsense to "outside world". On my router (outside of the VMWare server) I see the IP addr assigned to the MAC listed here:

The other port group has the LAN interface for pfsense, and all VMs in this isolated network:

PROBLEM: I cannot ping the IP address assigned to the WAN port of pfsense. I cannot initiate an SSH session to one of the Linux VMs in the LAN port group, and cannot pass 443 traffic to a web server in the LAN port group.

The LAN port group is called THY-GRP-01, and it is assigned a v-switch called vSwThycotic. The WAN port group is called WAN and is assigned a v-switch called WAN.

This is my 1st exposure to pfsense. Any help is appreciated. I know I am probably missing something simple. And I think it is on the VMWare ESXi side.

DaddyGo · Sep 2, 2021, 7:49 PM

@edbreay said in Port Forwarding not working on ESXi:

And I think it is on the VMWare ESXi side.

Hi,

Your rule(s) is a simple port forward, which looks good, although it is quite dangerous if opened on a WAN with a public IP - don't forget the scanners that specifically like SSH 22

push this SSH port to 50 - 60K after you find the problem on this ESXi config

++++edit:

I suggest, from experience (ESXi), don't try to build the whole virtual environment the first time (in one step), build it step by step and test that each step works as expected.

NogBadTheBad · Sep 2, 2021, 7:51 PM

@daddygo Probally not as dangerous as you think, sftp uses the same port that ssh uses.

I have the following on my box that I port forward ssh/sftp to:-

$ more /etc/pf.conf
#
# Macros
#
BRUTEFORCEPORTS="{ssh}"
LOCALSUBNETS="{172.16.0.0/12, 2a02:xxxx:yyyy::/48}"
NONLOCALSUBNETS="{!172.16.0.0/12, !2a02:xxxx:yyyy::/48}"
#
# Tables
#
table <bruteforce> persist
#
# Block Rules
#
block quick from <bruteforce>
#
# Pass Rules
#
pass quick from $LOCALSUBNETS
pass log proto tcp from $NONLOCALSUBNETS to $LOCALSUBNETS port $BRUTEFORCEPORTS flags S/SA keep state (max-src-conn 5, max-src-conn-rate 5/60, overload <bruteforce> flush global)
$

DaddyGo · Sep 2, 2021, 8:04 PM

@nogbadthebad said in Port Forwarding not working on ESXi:

Probally not as dangerous as you think, sftp uses the same port that ssh uses.

hmmmm?

We are also using SFTP and have had several flooding attacks on SSH 22 from say China (since then China is also out of the picture), hihihihi

The solution is this, yup and easier too

+++edit:

although a nice solution yours too

NogBadTheBad · Sep 2, 2021, 8:49 PM

@daddygo I do also filter on pfSense to only allow trusted countries:-

The issue with changing the port is you have to keep reminding people to set the port in their sftp client to something other than 22, also my server is sat in a DMZ.

The server blocks the soruce address after 5 failed attempts, using the script I posted.

DaddyGo · Sep 2, 2021, 8:19 PM

@nogbadthebad said in Port Forwarding not working on ESXi:

The issue with changing the port is you have to keep reminding people to set the port in their sftp client to something other than 22

We have a bigger system(s) behind pfSense(s) than my home box, so I have to think like this....

since I configure FileZilla clients myself I just have to remind myself..... 49121
(it is true that there are about 70 - 80 of them)

yes and I prefer not to be defensive about the problem at hand (if I know), I prefer to hide, the ban also requires CPU time

++++edit:

It's always in the back of my mind when I start a fresh VPS and I don't have time to deal with it for a few days, by the time I get to Fail2ban or it generates a thousand logs because of port 22

edbreay · Sep 2, 2021, 8:25 PM

@daddygo I should have mentioned that the WAN address is private (192.168.x.x) and it is coming from my home office router. So, no worries on the address side. The VMs are a test lab I migrated from another VMWare workstation host.
I was just using pfsense because VMWare ESXi does not have NAT capability like VMWare Workstation does.
So, my issue is just getting the Networking correct in ESXi, I suppose.... it is not a Port Fowarding/Firewall Rule issue.

DaddyGo · Sep 2, 2021, 8:56 PM

@edbreay said in Port Forwarding not working on ESXi:

I suppose.... it is not a Port Fowarding/Firewall Rule issue.

correct statement - (but pls. see the last sentence)

we could go deeper into the ESXi configuration, but this is the pfSense community and I'm not sure if they want to know about specific ESXi settings

try again step by step and test from a host outside - +vswitch

and with dual NAT there are exactly port forward problems on the WAN interface (RFC1918 on WAN)

+++edit (I will help you with this):
@edbreay "it is coming from my home office router"

if you want to access the Linux machine from the outside (truly outside from internet), you need to forward a port to the pfSense WAN on this router as well