Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port Forwarding not working on ESXi

    Scheduled Pinned Locked Moved NAT
    8 Posts 3 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      edbreay
      last edited by

      I have a few port forwarding rules setup, neither working. Setup is this:

      1cea8b94-8cef-4753-a262-1d37bec1baa4-image.png

      3806776e-4862-430b-bce6-69a0297fb7cb-image.png
      I also have a ICMP PASS rule
      107aaa89-461e-4f3c-8983-1baa2c5f3d22-image.png
      For any of these rules, I cannot connect to the IP addr - just get timeout.
      Here is my setup in ESXi:
      WAN Port Group connects WAN interface of pfsense to "outside world". On my router (outside of the VMWare server) I see the IP addr assigned to the MAC listed here:
      14776d6f-24af-4503-9376-769ef5fde6d7-image.png
      The other port group has the LAN interface for pfsense, and all VMs in this isolated network:
      a711aa47-20e4-4c0f-8cbf-76d5cf2c2365-image.png

      PROBLEM: I cannot ping the IP address assigned to the WAN port of pfsense. I cannot initiate an SSH session to one of the Linux VMs in the LAN port group, and cannot pass 443 traffic to a web server in the LAN port group.

      The LAN port group is called THY-GRP-01, and it is assigned a v-switch called vSwThycotic. The WAN port group is called WAN and is assigned a v-switch called WAN.

      This is my 1st exposure to pfsense. Any help is appreciated. I know I am probably missing something simple. And I think it is on the VMWare ESXi side.

      DaddyGoD 1 Reply Last reply Reply Quote 0
      • DaddyGoD
        DaddyGo @edbreay
        last edited by DaddyGo

        @edbreay said in Port Forwarding not working on ESXi:

        And I think it is on the VMWare ESXi side.

        Hi,

        Your rule(s) is a simple port forward, which looks good, although it is quite dangerous if opened on a WAN with a public IP - don't forget the scanners that specifically like SSH 22

        push this SSH port to 50 - 60K after you find the problem on this ESXi config ๐Ÿ˜‰

        ++++edit:

        I suggest, from experience (ESXi), don't try to build the whole virtual environment the first time (in one step), build it step by step and test that each step works as expected.

        Cats bury it so they can't see it!
        (You know what I mean if you have a cat)

        NogBadTheBadN E 2 Replies Last reply Reply Quote 1
        • NogBadTheBadN
          NogBadTheBad @DaddyGo
          last edited by

          @daddygo Probally not as dangerous as you think, sftp uses the same port that ssh uses.

          I have the following on my box that I port forward ssh/sftp to:-

          $ more /etc/pf.conf
          #
          # Macros
          #
          BRUTEFORCEPORTS="{ssh}"
          LOCALSUBNETS="{172.16.0.0/12, 2a02:xxxx:yyyy::/48}"
          NONLOCALSUBNETS="{!172.16.0.0/12, !2a02:xxxx:yyyy::/48}"
          #
          # Tables
          #
          table <bruteforce> persist
          #
          # Block Rules
          #
          block quick from <bruteforce>
          #
          # Pass Rules
          #
          pass quick from $LOCALSUBNETS
          pass log proto tcp from $NONLOCALSUBNETS to $LOCALSUBNETS port $BRUTEFORCEPORTS flags S/SA keep state (max-src-conn 5, max-src-conn-rate 5/60, overload <bruteforce> flush global)
          $ 
          
          

          Andy

          1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

          DaddyGoD 1 Reply Last reply Reply Quote 0
          • DaddyGoD
            DaddyGo @NogBadTheBad
            last edited by DaddyGo

            @nogbadthebad said in Port Forwarding not working on ESXi:

            Probally not as dangerous as you think, sftp uses the same port that ssh uses.

            hmmmm? ๐Ÿ˜‰

            We are also using SFTP and have had several flooding attacks on SSH 22 from say China (since then China is also out of the picture), hihihihi

            1bdea435-8dcc-4763-9718-5c9c39b11386-image.png

            The solution is this, yup and easier too

            +++edit:

            although a nice solution yours too ๐Ÿ˜‰

            Cats bury it so they can't see it!
            (You know what I mean if you have a cat)

            NogBadTheBadN 1 Reply Last reply Reply Quote 0
            • NogBadTheBadN
              NogBadTheBad @DaddyGo
              last edited by NogBadTheBad

              @daddygo I do also filter on pfSense to only allow trusted countries:-

              Screenshot 2021-09-02 at 21.02.55.png

              The issue with changing the port is you have to keep reminding people to set the port in their sftp client to something other than 22, also my server is sat in a DMZ.

              The server blocks the soruce address after 5 failed attempts, using the script I posted.

              Andy

              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

              DaddyGoD 1 Reply Last reply Reply Quote 0
              • DaddyGoD
                DaddyGo @NogBadTheBad
                last edited by DaddyGo

                @nogbadthebad said in Port Forwarding not working on ESXi:

                The issue with changing the port is you have to keep reminding people to set the port in their sftp client to something other than 22

                We have a bigger system(s) behind pfSense(s) than my home box, so I have to think like this.... ๐Ÿ˜‰

                since I configure FileZilla clients myself I just have to remind myself..... 49121
                (it is true that there are about 70 - 80 of them)

                yes and I prefer not to be defensive about the problem at hand (if I know), I prefer to hide, the ban also requires CPU time

                ++++edit:

                It's always in the back of my mind when I start a fresh VPS and I don't have time to deal with it for a few days, by the time I get to Fail2ban or it generates a thousand logs because of port 22

                Cats bury it so they can't see it!
                (You know what I mean if you have a cat)

                1 Reply Last reply Reply Quote 1
                • E
                  edbreay @DaddyGo
                  last edited by

                  @daddygo I should have mentioned that the WAN address is private (192.168.x.x) and it is coming from my home office router. So, no worries on the address side. The VMs are a test lab I migrated from another VMWare workstation host.
                  I was just using pfsense because VMWare ESXi does not have NAT capability like VMWare Workstation does.
                  So, my issue is just getting the Networking correct in ESXi, I suppose.... it is not a Port Fowarding/Firewall Rule issue.

                  DaddyGoD 1 Reply Last reply Reply Quote 0
                  • DaddyGoD
                    DaddyGo @edbreay
                    last edited by DaddyGo

                    @edbreay said in Port Forwarding not working on ESXi:

                    I suppose.... it is not a Port Fowarding/Firewall Rule issue.

                    correct statement ๐Ÿ˜‰ - (but pls. see the last sentence)

                    we could go deeper into the ESXi configuration, but this is the pfSense community and I'm not sure if they want to know about specific ESXi settings

                    try again step by step and test from a host outside - +vswitch

                    and with dual NAT there are exactly port forward problems on the WAN interface (RFC1918 on WAN)

                    +++edit (I will help you with this):
                    @edbreay "it is coming from my home office router"

                    if you want to access the Linux machine from the outside (truly outside from internet), you need to forward a port to the pfSense WAN on this router as well

                    Cats bury it so they can't see it!
                    (You know what I mean if you have a cat)

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.