Port forward problem



  • Hi all.

    I have over the years used pfsense and succesfully had port forwarding working. However, I cannot get it to work with the verion I have recently installed.

    I have added the port forward rule.
    Wan iterface  proto is tcp ext port range is 443(https) nat ip is 192.168.201.252 internal range is 443

    I have a firewall rule for the wan interface with nothing else before it
    Proto tcp Source * port * destination 192.168.201.252 port 443 gateway * schedule *

    and then I get in the firewall log
    its blocked

    Mar 20 10:30:23  NG0  1.2.3.4:18072  my.external.address.here:443  TCP:FP

    I have done everything I know including rebuilding the firewall box and still its blocked. Has anyone got any ideas casue I am about to give up.



  • This doesn't make sense.  If it was blocking inbound http, the segment would be the initial SYN segment (TCP flag would be S, not FP, which is FIN/PUSH).  Can you run packet capture on LAN side and post results when you try again?



  • I am happy to see it seems confusing to someone else other than myself. I will see what I can capture and get back to you all



  • Sometimes blocks show up in the firewall log even though it is being allowed (happens at the end of a "session"). I cannot find where I read about this, but I know I did. For example, I have port 443 forwarded to a LAN host as well, and it works just fine, but my firewall log has lots of "blocked" packets (TCP:P) that claim they are for the default deny rule, but they don't affect anything.

    Could it be that the reason your port forward appears to not be working is unrelated to the blocks you are seeing? Try turning on logging on the firewall rule that allows the port forward, and then check the logs to make sure an allow entry is actually showing up. If it is, maybe there is some other problem happening here (your LAN host doesn't have the pfSense box as the default gateway for example).



  • Usually spurious blocks like this are due to re-sent packets that are not needed.


  • Rebel Alliance Developer Netgate

    Sounds like these:

    http://doc.pfsense.org/index.php/Logs_show_"blocked"_for_traffic_from_a_legitimate_connection,_why%3F

    As Briantist proposed, those are very likely to be unrelated to the port forward not working. If it was, they'd be TCP:S, and no others.

    The OP may need to try to track down what is going on as described here:
    http://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

    Or it's also covered in the book.


Log in to reply