weird error with NAT/firewall
I am creating an additional NAT/firewall rule. It will not work. I have a ubuntu server with apache2 that serves a simple page when its IP address is used (http://192.168.0.157:80)
Going out of my mind! I already have a standard firewall rule for 443->443 that directs to another server that is accessible remotely. This works perfectly But my new rule for 18080->80 refuses not work.
On a remote PC when I do a 'curl http://[public ip address]:18080 I get a time out. This also happens when I do a 'curl http://gci.[domain].com:18080'.
I have confirmed that the 18080 port is open using an app on my phone.
I am using a cloudflare DNS with proxy enabled. But the config is exactly like working
Possibly the request never reaches pfSense WAN interface.
Run a packet capture on WAN with the port filter 18080 and try to access it from outside to get sure.
@gck303 try changing the "WAN address" to "single host or alias" and add the public IP for a test. This may be a bug. I believe I am having the same problem.
@gck303 You can also check the Firewall logs. If your message is arriving and being discarded by the firewall, it will tell you which rule did it. You can also turn on the rule that you created, to have it logged when used. This way you can check if it is being used.
Also, you can use pfsense's packet capture. Just filter everything for port 18080. You can then analyze it using wireshark.
Just some ideas. But for me, I would test, forcing the public address. There may be a problem in pfsense handling of "WAN address". Well... I suspect there is. ;-)
johnpoz LAYER 8 Global Moderator
@fbrunken said in weird error with NAT/firewall:
of "WAN address". Well... I suspect there is. ;-)
If that is the case why isn't everyone using pfsense having the issue? What version is the OP even using?
if there was general problem with "wan address" I would think it would be known really quickly as people screaming their port forwards not working, or no longer working.
To be honest in all the time I have been using pfsense, and on this forum - I can not recall a case of port forwarding not working because of some issue..
We seem to get at least 1 port forwarding problem a day around here - always turns out user error, or the traffic is never even hitting pfsense wan.
Following the troubleshooting guide you should be very quickly to find out where the problem is.
This test failing for example.
"curl http://[public ip address]:18080" from outside pfsense doesn't tell us much - maybe its blocked where the remote pc is, many locations might not allow outbound traffic on some random port. Maybe they used the wrong IP, for all we know he put in his wan IP and its a cgnat IP. etc..
There is really no way to know where the OP issues is without some more info.. And some info about basic test, like simple go to can you see me . org and sending tcp traffic to your IP on the port.
Example - I don't have that port open.. But with 30 seconds I can tell you that it gets to my wan from the outside.
This really should be step one in any troubleshooting of some port forward.. If pfsense can not even see the traffic hit its wan, then it would be impossible for it to forward it anywhere.
johnpoz LAYER 8 Global Moderator
@fbrunken not saying you might not be having an issue with your wan address alias.. I believe there was a thread around here where someone was having that sort of issue, and they had renamed the interfaces in the xml or something and it was causing all aliases to fail, like the lan net, the firewall, etc. if I recall correctly.
First step in troubleshooting port forwarding is validation that traffic from outside actually gets to your internet sided interface in pfsense. No need for any rules, no need for any aliases or anything to validate that works.. Simple sniff and sending traffic from the internet.. like from can you see me . org..
Once we have a known good place to send traffic, and pfsense sees it - then it can be leveraged to find out where the actual problem is with the port forward. But until we can create traffic to pfsense wan from the outside, that pfsense actually sees - its not possible to know where the problem might be, other than just visual validation of the rules, etc. But you really need to be able to send traffic that you know gets there to actually troubleshoot.
Kind of like trying to troubleshoot why a car won't start - if you have no gas ;)
I mean you could look and see hey there are no spark plugs, or the battery is missing - or the starter is missing, that sort of thing - but until you have gas to try and start it... Its really not possible to figure out why its not starting..
My problem is described here: Problems configuring OpenVPN on pFsense 23.01
Let's not discuss my problem any further here. I am just about to try again troubleshooting using your ideas but any further discussion about my problem, should be done there.
Thanks you really very much for your ideas. I will keep you posted.