Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't access NATed Server from one external IP

    Scheduled Pinned Locked Moved Firewalling
    11 Posts 3 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      premoddev
      last edited by

      Hi All,

      This is my first post on this forum, I am a newbie to pfsense. I have replaced my iptables firewall with pfsense, in my setup I have one LAN and one WAN interface only. The machines needed public access is added with 1:1 nat with the public IPs added as virtual IP addresses on the WAN interface.
      Everything is working as expected, but not working from one external client machine. Means everybody able to access the server which is added with 1:1 nat from outside internet, but its not working from one public IP machines which is located in another country.

      In the packet trace I am able to see the traffic hitting the firewall on correct port, but its not passing through the firewall.

      Can anybody help me to get fix this issue.

      Thanks in advance.

      Premod

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        Do you see any entry in the firewall-log?

        Is another computer from the same public subnet able to access it?

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • P
          premoddev
          last edited by

          Interesting thing is I am able to login from the server to the public machine which cannot access my server. Also I can see the packets hitting on my firewall on correct port, but its not crossing the firewall. In GUI logs, I am not able to find anything helpful. How can I access the logs through cli, means the name & location of the log files.

          Thanks,
          Premod

          1 Reply Last reply Reply Quote 0
          • P
            premoddev
            last edited by

            This is what I am seeing in the filter.log file,

            Aug 27 16:31:32 myfw pf: 815342 rule 56/0(match): block in on vr0: (tos 0x10, ttl 48, id 8457, offset 0, flags [DF], proto TCP (6), length 60) 17.1xx.1xx.94.49269 > 10.1xx.x1.17.22: S, cksum 0x4be7 (correct), 3233901315:3233901315(0) win 5840 <mss 2="" 232413099="" 1460,sackok,timestamp="" 0,nop,wscale="">vr0 is my external (WAN) interface and I don't have a blocking rule which I have made through web GUI. How do I find the rules through cli commands, as it is telling the rule 56/0 blocking the traffic.

            Thanks in advance.

            Premod</mss>

            1 Reply Last reply Reply Quote 0
            • GruensFroeschliG
              GruensFroeschli
              last edited by

              Status –> System Log --> Firewall
              Click in the gui on the color-thingy on the left side and it will tell you which rule blocked it.

              If you didn't create any rules at all, everything will be blocked.
              (default behaviour is: block everything).

              You can see the created rules under:
              address_of_your_pfsense/status.php#pfctl%20-s%20rules%20-vv

              We do what we must, because we can.

              Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

              1 Reply Last reply Reply Quote 0
              • P
                premoddev
                last edited by

                Thanks, this is what I am seeing when clicking in the colored thing,

                @56 block drop in log quick on vr0 from bogons:50to any label "block bogon networks from wan"

                What its mean? Seems an auto generated rule.

                Thanks,
                Premod</bogons:50>

                1 Reply Last reply Reply Quote 0
                • GruensFroeschliG
                  GruensFroeschli
                  last edited by

                  Bogon networks are IP-block which are not yet assigned and thus should never appear at your WAN.
                  You can disable this rule on the WAN-config-page.

                  It could be that this IP-block has just recently been assigned.
                  pfSense should update it's list of bogon networks periodically be itself.

                  These threads should help you to update the list manually:
                  http://forum.pfsense.org/index.php/topic,15650.0.html
                  –> http://forum.pfsense.org/index.php/topic,13278.0.html

                  We do what we must, because we can.

                  Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                  1 Reply Last reply Reply Quote 0
                  • P
                    premoddev
                    last edited by

                    Thanks, GruensFroeschli

                    I have disabled the firewall rule and it's just working fine.

                    Thanks,
                    Premod

                    1 Reply Last reply Reply Quote 0
                    • GruensFroeschliG
                      GruensFroeschli
                      last edited by

                      Well i wouldn't just disable the rule ^^"
                      It's there for a reason ;)

                      Have you tried dotdashs suggestion?

                      I copied /etc/rc.update_bogons.sh to a temporary script, removed the sleep and ran it.

                      We do what we must, because we can.

                      Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                      1 Reply Last reply Reply Quote 0
                      • P
                        premoddev
                        last edited by

                        As for a temporary fix, I have manually removed the network which blocked for me. And as per the other posts I have checked my crontab file and the xml file also. Both the files having entries as follows,

                        ###/etc/crontab####

                        1 3 1 * * root /usr/bin/nice -n20 /etc/rc.update_bogons.sh

                        ####config.xml#####

                        <minute>1</minute>
                        <hour>3</hour>
                        <mday>1</mday>
                        <month></month>
                        <wday>
                        </wday>
                        <who>root</who>
                        <command></command>/usr/bin/nice -n20 /etc/rc.update_bogons.sh

                        ######################################################

                        But update is not happening I am sure. I tried run the script manually, but didn't see anything happening on it. How can I make it run automatically?

                        Thanks,
                        Premod

                        1 Reply Last reply Reply Quote 0
                        • E
                          Eugene
                          last edited by

                          Update happens once per month. What makes you think it does not?

                          http://ru.doc.pfsense.org

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.