NAT Rule problem

  • Hi @all

    Want to reach a host in the LAN by VNC or Freenx but though I have created NAT rules
    for both protocols I cannot connect.

    LAN and FreeNX are both up on the target machine in the LAN, I can connect from the
    LAN side of the pfsense box running on 1.3.2 Release

    The NAT rule looks as follows :

    IF        Proto  EXT. Port Range  NAT IP          INT Port Range
    WAN – TCP -- 22 (SSH)  --    22 (SSH)
                                                (ext.: any)

    Unfortunately the tips from other posts did not help so any helpful tip is appreciated

    Thanks in advance


  • I don't know about Freenx, but VNC uses port 5900 by default, not 22.


  • Thanks EddieA, I know about the VNC port and of course there is a similar NAT rule configured for VNC,
    of course for port 5900

  • Go to to find out if your port 22 is open to the outside world.

    When creating your NAT entry, did you check the box at the bottom that automatically creates a firewall pass rule? If so, did you change the IP address or protocol in the NAT rule, or some other thing that would cause the NAT rule to be out of sync with the firewall rule?

  • Clarknova,

    Thanks for the hint, checking port 22 on the link prorovided I get "stealth" as a result.
    Yes I have checked the box that automatically creates the FW rule and I did not change
    the protocols or IP adresses (see screenshot)

    It confuses me that I can see SSH packets in the log (see screenshot) but I cannot
    connect, what of course works fine from the LAN side.

    Further tips anyone ?

    thx hafnix

  • If they aren't already, those firewall rules should be on WAN.  Also, this probably has nothing to do with it, but on the port forward you do not need to set the external address to any unless you have multiple WAN IP addresses and are trying to forward the port on all of them.

  • Yes Efonne, they are on WAN

  • Do you have any firewall rules above those that might be blocking it?

  • No, just the ones created by the system and a rule to block Bittorrent 6969

  • Your first screenshot looks as though pfsense has passed packets coming in on port 22. Very odd then that port 22 appears stealth from the outside world. Do you have a firewall running on your ssh host? Could it be that a host-based firewall is accepting packets from the LAN but not from outside addresses?

    At this point I think tcpdump/wireshark/packet capture is in order to find out where the packets are stopping.

  • Hi again…

    The SSH host is a Ubuntu 9.10 box with no firewall installed I am using to monitor
    access points in this network. Connecting to this box from the LAN on Port 22 is
    no problem at all...

    Installed Wireshark on this box and let it listen for packets on Port 22 but there
    was nothing so I think that though the log tells us the packets are passing they
    are not going through.

    I already thought about deleting all rules, make a backup of the box and re-install
    the whole system from the scratch. Do you see any chance that this could help ?

    Thx hafnix

  • If you're seeing packets arrive at pfsense's WAN, but nothing on the ssh host then they're dieing somewhere in between. There's a good chance your pfsense is misconfigured, or possibly even malfunctioning, and a fresh install could correct that, assuming you don't repeat whatever may have caused the problem in the first place.

  • Ok good I will try that somewhen soon. another proof for this Idea is the console log output :

    Mar 12 15:01:44 gateway pf: 4\. 327978 rule 102/0(match): pass in on ng0: (tos 0x0, ttl 118, id 55769, offset 0, flags [DF], proto TCP (6), length 48) > S, cksum 0x3d8a (correct), 2222965890:2222965890(0) win 65535 

    Next to this I have tried to reach the target system through a VNN tunnel and turned on logging, once
    again the logs said Port 22 is going through but still I cannot reach the SSH host.

    I do not know if there is a problem with the system in general, it is a Intel Atom 330 System on D945GCLF2 board using the onboard
    Realtek NIC and a 3Com 3C905 NIC in the available PCI slot. Are there known problems with Atom boards or even these NIC's ?

    Thanks a lot hafnix

  • I believe both those NICs are fairly common in pfsense deployments. The realteks are known for low throughput/high cpu usage, but not necessarily flat out broken, that I'm aware of.

    You could also do a packet capture on pfsense's LAN interface. If you have equipment between pfsense and Ubuntu this would help eliminate that as cause.

  • Packet Capture was a good plan. Starting a capture on the WAN interface showed packets on Port 22 but there
    was no output on the LAN interface.
    There is no equipment between the LAN interface and the target machine that could possibly block traffic.
    Do you agree that this looks like a internal problem of the pfsense box ?

  • For sure.

  • Ok it works. Deleted all fw-rules, made a backup, reinstalled the box and created the nat rule once more –> works !
    Thank you all for your hints and support  ;)

  • Hi @ll

    after the NAT rules worked fine over two weeks it has stopped working again and I have the same
    problem as before.
    I can see traffic in the logs forwarded to the target host but I cannot connect on Port 22.
    In between I have made no changes to the system and I did not even restart it what I in
    fact did today when I noticed the problem again.
    I mean I have "solved" the problem by reinstalling the box a while ago but this cannot be a
    solution, no need to say that we do not have a M$ Box here…
    It is strange in my eyes that this Forum has a lot of posts regarding NAT... all with rather
    similar problems and no real solution.
    Further tips anyone ?

    Thx in advance


Log in to reply