port forwarding problem
-
Dear All:
Please your help, I describe my problem:
I have a snapgear S565 in which a DMZ is configured to publish a service to the internet through my Public IP.
The problem that arises is that when testing the access from another network it does not show anything, I already tried internally on my server that the service is active.My Public IP is XX.XX.XX.39
DMZ IP: XX.XX.XX.51NAT rule:
GPS YELLOW (Port B) Any YELLOW (Port B, XX.XX.XX.39) tcp/home/8282 XX.XX.XX.51 tcp/home/8282
PACKET FILTERING RULE
GPS Accept Forward YELLOW (Port B) DMZ (Port A3) Any XX.XX.XX.51 tcp/home/8282
Attached firewall logs:
Mar 15 09:23:48 kernel: PF Ips GPS: IN=eth1 OUT=eth0.30 SRC=200.xx.xx.56 DST=XX.XX.XX.51 LEN=60 TOS=0x08 PREC=0x00 TTL= 55 ID=8257 DF PROTO=TCP SPT=16064 DPT=8282 WINDOW=65535 RES=0x00 SYN URGP=0
Thank you for the help that you may be able to provide.
-
@san_typ said in port forwarding problem:
from another network it does not show anything,
What doesn't show anything.. have gone through the troubleshooting guide? if you follow the guide within couple of minutes you will find out where your problem is.
Step 1 in validating port forwarding is actually validate that pfsense sees the traffic it is suppose to forward on its wan, if pfsense never sees this traffic how can it forward it
SRC=200.xx.xx.56 DST=XX.XX.XX.51
That is outbound, are you testing from another network behind your pfsense? You need to test from outside pfsense.. Just go to can you see me . org and send traffic to the port you want, does pfsense see this traffic?
-
@johnpoz Dear, I am new in this world of Firewalls and try to follow the steps to determine what is happening.
Please review the following:- Ping test between the PC interface and the snapgear. successful
- Ping test towards the internet interface. successful
- Check the NAT rules, they are configured
GPS YELLOW (Port B) Any YELLOW (Port B, XX.XX.XX.39) tcp/home/8282 XX.XX.XX.51 tcp/home/8282 - The Firewall rules are configured
GPS Accept Forward YELLOW (Port B) DMZ (Port A3) Any XX.XX.XX.51 tcp/home/8282 - I did a packet capture on the snapgear and I only see the input request from my cell phone to the web page (snapgear), but I don't see the return.
- In the logs it does not show me more than what is detailed below:
Mar 15 16:56:37 kernel: PF Ips GPS: IN=eth1 OUT=eth0.30 SRC=188.xx.xx.104 DST=XX.XX.XX.51 LEN=60 TOS=0x08 PREC=0x00 TTL= 55 ID=8257 DF PROTO=TCP SPT=16064 DPT=8282 WINDOW=65535 RES=0x00 SYN URGP=0 - Check if the port is open through a telnet and that port is not responding.
What other review could I do?
-
@san_typ said in port forwarding problem:
but I don't see the return.
If you see traffic via sniffing go to where you want your forward to send it sniffing on the lan side interface as your cell phone coming in from the internet comes from some public IP, but no return that scream firewall on where your sending the traffic, or where your sending it isn't using pfsense as its gateway. Or its not actually listening on the port you think it is, etc.
if you see pfsense send on the traffic from the internet to where you want to forward it it.. Then pfsense did what you told it, the client not answering pfsense has no control over.
here recent thread going over the exact same sort of basic troubleshooting.
https://forum.netgate.com/topic/178722/pfsense-google-wifi-and-port-forwardingWhen you sniff if you see pfsense send the traffic on, pfsense did what you told it to do.
here is sniff of port sent to pfsense from outside, and validating pfsense is forwarding to where you said to forward it
-
@johnpoz Dear:
I did the packet capture from the DMZ but it doesn't show any information.
Activate all the logs of the firewall rules to see which is the one that does not allow me to pass the traffic, in these logs nothing is shown that is blocking it.
From what I have written before, I understand that it is not forwarding to my DMZ, as you can see in the screenshots, my Firewall does not have the same options as those described in the links sent in the previous answers.
I am attaching screenshots of the NAT and Packet Filtering rules.
Please your help with any suggestion to solve this problem.Thank you
-
@san_typ that sure and the hell is not pfsense interface.. If your having problems with a device not doing port forwarding you prob want to get with their support for why..
But what I can tell you is if pfsense does not see traffic on the interface your wanting to port forward to some device behind pfsense.. If it doesn't see any traffic, kind of hard to forward anything.
-
@johnpoz Dear:
What would be the steps or configurations in the pfsense to follow to verify that the computer connected to my DMZ uses my internet interface? In this way it would guarantee that there is a connection between my DMZ interface and my internet interface.
Thanks for the information you can give me. -
@san_typ huh.. Whatever that device is you posted is in front of pfsense right.. And pfsense "wan" is what this .51 address?
Ok does pfsense see traffic on port 48416 when you send traffic on port 80 to whatever that dest address is in that ends in .39?
-
@san_typ Dear:
My WAN is the one that ends in XX.XX.XX.39, my DMZ ends in XX.XX.XX.1 (they are the interfaces connected to the firewall) and the PC that is in the DMZ ends in XX.XX.XX.31 .The Firewall sees the traffic coming to my WAN XX.XX.XX.39 on port 80 and transfers it to my PC in DMZ XX.XX.XX.31 on port 48416, that's the flow.
-
@san_typ where is pfsense in that picture?
Where are you port forwards and firewall rules in pfsense that shows traffic hitting pfsense wan on x.39 por 80 and you forward it to .51 on 48416
What you posted is NOT pfsense that is for sure..
This is forum to discuss and help users with pfsense - whatever is your using there and posted screenshots of is not pfsense.
Please post your pfsense settings, and the sniff showing some port hitting your pfsense wan side interface that you are forwarding. You can do a simple sniff (packet capture) in pfsense under the diagnostic menu.
What we can help you with here is port forwards in pfsense - if you have something front of pfsense, you need to make sure traffic hits pfsense wan side interface for pfsense to forward it to something behind pfsense.
-
@johnpoz Thanks for the answers.
