Cannot PF/NAT to save my life...
-
@johnpoz said in Cannot PF/NAT to save my life...:
Unless you have a "reject" rule o your wan?
I do indeed. I was placed there buy user "silence", who was helping me get things set up. I have no clue what it does, they just told me it was a good idea. :)
Here are my rules:
You see that most of them are disabled. Those are previous attempts to get various services working, which never panned out. Most of the filed attempts I deleted, but these I've left in place to remind me of what didn't work, and provide a placeholder for things I want to come back to later.No, nothing in the floating tab.
I'll also note that none of the services you see implied by these rules are currently active or working.
For exmaple, I'm not running NPM, or OpenVPN.I will say that my BlueIris remote seems to kinda work, sometimes, so maybe that one is okay? lol
-
@Elmojo well your rustdesk ones are not going to work because they are below your reject.. Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.
You really have no need for that reject all rule.. Because there is default deny at the end.. I have specific block rules at the end of mine because I do not log the default deny (I turned that off) and only want to log what those deny rules trigger on.
But your 81 port shows open
Notice those below the reject rule are 0/0 for states, that 2nd 0 means the rule has never been triggered.. Notice your 81 rule and other ones have values that means that much traffic has been allowed..
If I hit your 81 port I get this
If you want to turn the default deny, but log specific traffic then you can put a block rule at the end.. Like you see in my rules. But a reject to wan, especially a any any is not a good idea.. Your forcing pfsense to answer any bit of noise that touches your wan that you do not allow.. That is just extra traffic your sending for no valid reason.. My reject is only for specific ports, and only from US IPs, because I want to be able to run a traceroute to my IP and see the response at the end of it.
-
@johnpoz said in Cannot PF/NAT to save my life...:
You really have no need for that reject all rule
Fair enough. Like I said, especially at the time this was all set up, I knew next to nothing about rules and such, and was relying on the knowledge of others. I'll disable it.
@johnpoz said in Cannot PF/NAT to save my life...:
But your 81 port shows open
How? Did I publish my external IP somewhere? I don't mind you having it, but I'd prefer for it not to be flapping in the breeze, so to speak. lol
I'm not surprised that it's open. That service is working fairly well, until my IP changes, and I have to figure out what the new one is... I assume there's a way around that, which we'll get to, using duckDNS or similar?@johnpoz said in Cannot PF/NAT to save my life...:
a reject to wan, especially a any any is not a good idea
I'm a believer. :)
Here's my new ruleset. Does this look better?
I notice that your last rule shows "commonUDP" as the destination port. I don't see that as a selectable preset. Did you build a custom range and name it or something? -
@Elmojo said in Cannot PF/NAT to save my life...:
Did I publish my external IP somewhere
You gave the first octet, and like I said earlier that matched up with you talked to the forum from, so I figured it was still the same.. Only mods and admin can see that info.. So no its not flapping in the breeze ;) and as you saw I didn't say anything that you didn't say already for what your ip.. was.. And hid the IP I talked too..
btw neither your 1880 or 18443 seem to be open..
From your rules you are sending that to a different IP than your 81, could be that box is not listening on those ports, or it has its own host firewall? Or not using pfsense as its gateway?
But clearly you have a public can talk too, and from those 2nd rules showing some traffic too them, points to something behind not right.. As traffic is getting to pfsense.
My two rules that I log are specific, I only log syn traffic to tcp.. notice the little gear next to mine. And commonudp is an alias I created that only has specific ports in.. That would be interesting to see, but I don't want to see every single stupid piece of udp noise that hits my box. Only ones that are of significance on specific ports..
Here is a snip of that alias
The list is dated, 2019... I should prob go through and remove/add stuff
-
@johnpoz said in Cannot PF/NAT to save my life...:
You gave the first octet, and like I said earlier that matched up with you talked to the forum from
Oh, I see. Cool deal.
@johnpoz said in Cannot PF/NAT to save my life...:
btw neither your 1880 or 18443 seem to be open..
There are no services listening on those ports. They are for NginxProxyManager, and I had to edit the port assignments (it defaults to 80 and 443) because those were in use by another docker. I've discovered since then that there's another way to handle that situation, but I'm not using that service right now anyway, although it is one of those that I hope to get up and running sometime soon.
@johnpoz said in Cannot PF/NAT to save my life...:
But clearly you have a public can talk too, and from those 2nd rules showing some traffic too them, points to something behind not right.. As traffic is getting to pfsense.
Sorry, you kinda lost me there. It almost looks like parts of your sentence got deleted or something...?
@johnpoz said in Cannot PF/NAT to save my life...:
My two rules that I log are specific, I only log syn traffic to tcp.. notice the little gear next to mine
Okay, I see...maybe. Are you saying I don't need those rules, I don't need both of them, or I don't need to log them? I don't think I'll be able to recreate your UDP rule anyway, since I have no idea how to create alias lists. Is it even necessary? I'm not trying to complicate things here.
BTW, what does the gear icon mean? I haven't found an explanation for it yet. -
@Elmojo No its not necessary. I have those rules because I want to log specific traffic, but not all that is denied. I turned off the logging of the default deny rule. If you have not done that and you deleted those two rules everything would be logged anyway.
What I meant to say we clearly are sure your IP is public, and traffic can get to it. One being that the port 81 shows open... The others showing traffic got to them see the 2nd number in the states column..
-
@johnpoz said in Cannot PF/NAT to save my life...:
No its not necessary. I have those rules because I want to log specific traffic
Gotcha! I'll delete them. Simpler is better. :)
@johnpoz said in Cannot PF/NAT to save my life...:
What I meant to say we clearly are sure your IP is public, and traffic can get to it. One being that the port 81 shows open...
Oh, I understand. Okay, great. So what's the next step... ?
You mentioned something earlier about setting up a FQDN through a ddns. I assume that's the way to get around having to deal with my ISP changing my public IP every couple weeks?I already have an account and domain set up through duckdns, if that helps any. I'm totally fine abandoning that and using something else if you think it's better. I haven't touched it in a while, it may be inactive. I also have a cloudflare account, if that's of any use.
-
@Elmojo you can use whatever ddns you want.. I just use cloudflare, but sure if duckdns support ddns?
Just set it up in pfsense. But I don't see them listed. You might have to use custom, or setup some client behind pfsense to use some script or whatever that they might provide
Or just use one of the many services.
edit:
A quick google found these instructions for pfsense and duckdns dynamic dnshttps://www.wundertech.net/use-duckdns-to-set-up-ddns-on-pfsense/
-
@johnpoz Okay, I'll have to dig into the docs a little and see where I need to go from here.
I'm happy with using Clouflare, if it's built into pfsense. I only had a duckdns account because it was referenced in a tutorial I was following for another service a while back.Thanks again for all your help. Hopefully I can take it from here, but I can't swear I won't have another couple Qs as I get all this untangled. :)
-
@Elmojo said in Cannot PF/NAT to save my life...:
@johnpoz Okay, I'll have to dig into the docs a little and see where I need to go from here.
I'm happy with using Clouflare, if it's built into pfsense. I only had a duckdns account because it was referenced in a tutorial I was following for another service a while back.Thanks again for all your help. Hopefully I can take it from here, but I can't swear I won't have another couple Qs as I get all this untangled. :)
Duckdns have good support info on their page.
Go to their install page https://www.duckdns.org/install.jsp
Select pfsense and then in the drop down select which one of your domains you want to use.The page will then update to provide you with a URL looking like this:
https://www.duckdns.org/update?domains=[DOMAIN]&token=[TOKEN]&ip=%IP%
Where DOMAIN and TOKEN are generated from your account.In pfsense > services > Dynamic DNS, create a client and set the Service type to Custom.
Select your interface to monitor and send update from (WAN typically).Then all you do is paste the URL you got from duckdns into the Update URL field.
Type OK in the Result Match field, add a description if you like and click save.