Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port forward problem

    Scheduled Pinned Locked Moved NAT
    6 Posts 4 Posters 4.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      secs
      last edited by

      Hi all.

      I have over the years used pfsense and succesfully had port forwarding working. However, I cannot get it to work with the verion I have recently installed.

      I have added the port forward rule.
      Wan iterface  proto is tcp ext port range is 443(https) nat ip is 192.168.201.252 internal range is 443

      I have a firewall rule for the wan interface with nothing else before it
      Proto tcp Source * port * destination 192.168.201.252 port 443 gateway * schedule *

      and then I get in the firewall log
      its blocked

      Mar 20 10:30:23  NG0  1.2.3.4:18072  my.external.address.here:443  TCP:FP

      I have done everything I know including rebuilding the firewall box and still its blocked. Has anyone got any ideas casue I am about to give up.

      1 Reply Last reply Reply Quote 0
      • D
        danswartz
        last edited by

        This doesn't make sense.  If it was blocking inbound http, the segment would be the initial SYN segment (TCP flag would be S, not FP, which is FIN/PUSH).  Can you run packet capture on LAN side and post results when you try again?

        1 Reply Last reply Reply Quote 0
        • S
          secs
          last edited by

          I am happy to see it seems confusing to someone else other than myself. I will see what I can capture and get back to you all

          1 Reply Last reply Reply Quote 0
          • B
            Briantist
            last edited by

            Sometimes blocks show up in the firewall log even though it is being allowed (happens at the end of a "session"). I cannot find where I read about this, but I know I did. For example, I have port 443 forwarded to a LAN host as well, and it works just fine, but my firewall log has lots of "blocked" packets (TCP:P) that claim they are for the default deny rule, but they don't affect anything.

            Could it be that the reason your port forward appears to not be working is unrelated to the blocks you are seeing? Try turning on logging on the firewall rule that allows the port forward, and then check the logs to make sure an allow entry is actually showing up. If it is, maybe there is some other problem happening here (your LAN host doesn't have the pfSense box as the default gateway for example).

            1 Reply Last reply Reply Quote 0
            • D
              danswartz
              last edited by

              Usually spurious blocks like this are due to re-sent packets that are not needed.

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                Sounds like these:

                http://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F

                As Briantist proposed, those are very likely to be unrelated to the port forward not working. If it was, they'd be TCP:S, and no others.

                The OP may need to try to track down what is going on as described here:
                http://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

                Or it's also covered in the book.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.