Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Simple port forward error default deny rule ipv4

    Scheduled Pinned Locked Moved NAT
    6 Posts 2 Posters 109 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TheCalvinator
      last edited by TheCalvinator

      Hello all

      I have setup a simple port forward rule which is not working and showing the error "Default deny rule IPv4 (1000000103)". Any advise would be geatly appreciated as I have spent nearly 2 days reading and researching with no solution yet.

      • Destination is a Windows machine running RDP on custom port 2803

        • This has been tested and is working both from a local IP and directly from the internet (if I assign the public IP to it for testing)
      • pfsense is a dedicated hardware running the latest version

      • The rule is anyone connecting to the specied VIP on port 2803, forward it to the local IP (192.168.8.38) of windows machine on port 2803

      • Looking at the firewall logs, I can see RDP traffic coming from my laptop on the internet and being forwarded to the RDP client successfully

        • However, the logs also show that the return packets from RDP client to pfSense are being blocked on the LAN interface (Default deny rule IPv4 (1000000103)
      • I have setup the NAT with reflection (Pure NAT)

        • pfSense created the corresponding WAN rule for it too
      • I have used the "Test port" tool to ensure pfSense can see the RDP client on port 2803

      • Both devices definitely can see and ping each other on the LAN

      • I have attached screenshots of the config and firewall log

      I am at a loss and not sure whereelse to look or how to troubleshoot further.

      Best wishes
      pf-config1.png

      pf-config2.png

      pfs-log1.png

      pfs-log2.png

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @TheCalvinator
        last edited by johnpoz

        @TheCalvinator those are all fin,ack - ie that rdp box sending back to the pfsense IP, which unless your doing source natting shouldn't be happening. Even if was going to send FA it should be to the IP of the device wanting to connect.. Something on the internet I take it since your port forwarding stuff that hits your wan.

        That return traffic should of really been to your 209.x address. Unless you source natted it, ie outbound nat on your lan so the rdp traffic sent to 2803 looked like it came from pfsense IP on your lan I assume (that 192.168.8.1 address)

        But either way, your port forward works and the rdp box on 192.168.8.38 sent back a FA..

        I would guess those are just multiple FA being sent, even after pfsense closed the state. Or you have asymmetrical traffic flow - but if that was the cause you really should of seen SA (syn,ack) being blocked because lack of state.

        If pfsense has no state open to allow the traffic, then yes it would be blocked by the default deny.. Or if there was a state but the device continues to see traffic after the state was closed then yeah that traffic would be closed.

        A FA is that 192.168.8.38 saying I am done with this conversation. So its not pfsense causing a problem with your port forward.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        T 1 Reply Last reply Reply Quote 0
        • T
          TheCalvinator @johnpoz
          last edited by

          @johnpoz Hello John

          Thank you for your reply. I agree that it was strange seeing the packet had pfsense as its destination as opposed to my 209.X IP address.

          I have not setup asymmetric traffic flow nor source NAT, but how do I check if it is there? Anything else I can check?

          Best wishes

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @TheCalvinator
            last edited by johnpoz

            @TheCalvinator what do you have in your outbound nat - do you have something setup for outbound on your lan interface? That would nat your traffic so it looks like it came from pfsense IP on that interface.

            You might even want that so you don't have to alter firewall rules on the box your rdping too.. It would think the client is on its local 192.168.8 network.

            example: here I nat traffic going to my cams network (10.1.1/24) so it looks like it comes from pfsense IP on that cams network.. The cameras on that network use the nvr as their gateway, no pfsense - so if I didn't source nat the traffic they wouldn't send the traffic back to pfsense, they would send it to their gateway. Which wouldn't work.

            outbound.jpg

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            T 1 Reply Last reply Reply Quote 0
            • T
              TheCalvinator @johnpoz
              last edited by

              @johnpoz

              Hello John

              I hope you are well. The problem was an incorrect source NAT setup by a colleague and is now resolved. Thank you for your great help and guidance 😊

              Best wishes

              johnpozJ 1 Reply Last reply Reply Quote 1
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @TheCalvinator
                last edited by

                @TheCalvinator glad to hear finally sorted. Thanks.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.