Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Port forward problem

    NAT
    4
    6
    3879
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      secs last edited by

      Hi all.

      I have over the years used pfsense and succesfully had port forwarding working. However, I cannot get it to work with the verion I have recently installed.

      I have added the port forward rule.
      Wan iterface  proto is tcp ext port range is 443(https) nat ip is 192.168.201.252 internal range is 443

      I have a firewall rule for the wan interface with nothing else before it
      Proto tcp Source * port * destination 192.168.201.252 port 443 gateway * schedule *

      and then I get in the firewall log
      its blocked

      Mar 20 10:30:23  NG0  1.2.3.4:18072  my.external.address.here:443  TCP:FP

      I have done everything I know including rebuilding the firewall box and still its blocked. Has anyone got any ideas casue I am about to give up.

      1 Reply Last reply Reply Quote 0
      • D
        danswartz last edited by

        This doesn't make sense.  If it was blocking inbound http, the segment would be the initial SYN segment (TCP flag would be S, not FP, which is FIN/PUSH).  Can you run packet capture on LAN side and post results when you try again?

        1 Reply Last reply Reply Quote 0
        • S
          secs last edited by

          I am happy to see it seems confusing to someone else other than myself. I will see what I can capture and get back to you all

          1 Reply Last reply Reply Quote 0
          • B
            Briantist last edited by

            Sometimes blocks show up in the firewall log even though it is being allowed (happens at the end of a "session"). I cannot find where I read about this, but I know I did. For example, I have port 443 forwarded to a LAN host as well, and it works just fine, but my firewall log has lots of "blocked" packets (TCP:P) that claim they are for the default deny rule, but they don't affect anything.

            Could it be that the reason your port forward appears to not be working is unrelated to the blocks you are seeing? Try turning on logging on the firewall rule that allows the port forward, and then check the logs to make sure an allow entry is actually showing up. If it is, maybe there is some other problem happening here (your LAN host doesn't have the pfSense box as the default gateway for example).

            1 Reply Last reply Reply Quote 0
            • D
              danswartz last edited by

              Usually spurious blocks like this are due to re-sent packets that are not needed.

              1 Reply Last reply Reply Quote 0
              • jimp
                jimp Rebel Alliance Developer Netgate last edited by

                Sounds like these:

                http://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3F

                As Briantist proposed, those are very likely to be unrelated to the port forward not working. If it was, they'd be TCP:S, and no others.

                The OP may need to try to track down what is going on as described here:
                http://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

                Or it's also covered in the book.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post