Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port forwarding problem

    Scheduled Pinned Locked Moved NAT
    7 Posts 3 Posters 4.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      thor57
      last edited by

      I am running Version 1.2.3 and I need to forward ports 1812-1813 to a server in my network with a private address (10.0.0.30). I have a public address (173.226.x.x Virtual IP) 1:1 NAT'ed to this private address and port forwarding set up as follows,
      Interface - WAN
      External Address - 173.226.x.x
      Protocol - TCP/UDP
      External Port range - 1812-1813
      NAT IP - 10.0.0.30
      Local Port - 1812

      I also have the corresponding Firewall rule set up. When I check the Firewall logs I can see the traffic being blocked with this message,
      The rule that triggered this action is:

      @1533 block drop in log quick all label "Default deny rule"

      Any suggestions as to how I can get this to work?

      1 Reply Last reply Reply Quote 0
      • C
        clarknova
        last edited by

        Please post the details of the WAN pass rule, which appears to not be matching your packet in this case.

        db

        1 Reply Last reply Reply Quote 0
        • T
          thor57
          last edited by

          These are the settings in Firewall-Rules-WAN
          Action - Pass
          Interface - WAN
          Protocol - TCP/UDP
          Source - any
          Source ports - any
          Destination - Single host or alias /10.0.0.30
          Destination port range - any
          all of the other settings for this rule are still at the default values
          Thanks for your help

          1 Reply Last reply Reply Quote 0
          • C
            Callahan
            last edited by

            This sounds like your allow rule in your firewall is sitting below the default deny rule so the packets are being dropped by the default deny rule before it gets to the allow rule.

            1 Reply Last reply Reply Quote 0
            • C
              clarknova
              last edited by

              Agreed. Please post a screenshot of your all your WAN rules, or the contents of /tmp/rules.debug.

              db

              1 Reply Last reply Reply Quote 0
              • T
                thor57
                last edited by

                Here is a screenshot of my WAN rules and the text of the debug file.

                Text of debug file:

                System Aliases

                loopback = "{ lo0 }"
                lan = "{ em1  }"
                wan = "{ em0  }"
                enc0 = "{ enc0 }"

                User Aliases

                set loginterface em0
                set loginterface em1
                set optimization normal

                set skip on pfsync0
                scrub all random-id  fragment reassemble

                nat-anchor "pftpx/"
                nat-anchor "natearly/
                "
                nat-anchor "natrules/*"

                FTP proxy

                rdr-anchor "pftpx/*"
                binat on em0 from 10.0.0.55/32 to any -> 173.226.181.35/32
                binat on em0 from 10.0.0.15/32 to any -> 173.226.181.36/32
                binat on em0 from 10.0.0.20/32 to any -> 173.226.181.37/32
                binat on em0 from 10.0.0.25/32 to any -> 173.226.181.38/32
                binat on em0 from 10.0.0.30/32 to any -> 173.226.181.39/32

                Outbound NAT rules

                nat on $wan from 10.0.0.0/20 port 500 to any port 500 -> (em0) port 500
                nat on $wan from 10.0.0.0/20 port 5060 to any port 5060 -> (em0) port 5060
                nat on $wan from 10.0.0.0/20 to any -> (em0) port 1024:65535

                #SSH Lockout Table
                table <sshlockout>persist

                Load balancing anchor - slbd updates

                rdr-anchor "slb"

                FTP Proxy/helper

                table <onetoonelist>{ 10.0.0.55 10.0.0.15 10.0.0.20 10.0.0.25 10.0.0.30  }
                table <vpns>{  }
                no rdr on em1 proto tcp from any to <vpns>port 21
                no rdr on em1 proto tcp from <onetoonelist>to any port 21
                rdr on em1 proto tcp from any to any port 21 -> 127.0.0.1 port 8021

                NAT Inbound Redirects

                rdr on em0 proto tcp from any to 173.226.181.37/32 port { 22 } -> 10.0.0.20
                rdr on em0 proto tcp from any to 173.226.181.37/32 port { 443 } -> 10.0.0.20
                rdr on em0 proto tcp from any to 173.226.181.35/32 port 9005:9443 -> 10.0.0.55 port 9005:*
                rdr on em0 proto tcp from any to 173.226.181.37/32 port { 80 } -> 10.0.0.20
                rdr on em0 proto { tcp udp } from any to 173.226.181.37/32 port 1812:1813 -> 10.0.0.20 port 1812:*

                IMSpector rdr anchor

                rdr-anchor "imspector"

                UPnPd rdr anchor

                rdr-anchor "miniupnpd"

                anchor "ftpsesame/*"
                anchor "firewallrules"

                We use the mighty pf, we cannot be fooled.

                block quick proto { tcp, udp } from any port = 0 to any
                block quick proto { tcp, udp } from any to any port = 0

                snort2c

                table <snort2c>persist
                block quick from <snort2c>to any label "Block snort2c hosts"
                block quick from any to <snort2c>label "Block snort2c hosts"

                Block all IPv6

                block in quick inet6 all
                block out quick inet6 all

                loopback

                anchor "loopback"
                pass in quick on $loopback all label "pass loopback"
                pass out quick on $loopback all label "pass loopback"

                package manager early specific hook

                anchor "packageearly"

                carp

                anchor "carp"

                permit wan interface to ping out (ping_hosts.sh)

                pass quick proto icmp from 173.226.181.34 to any keep state

                NAT Reflection rules

                allow access to DHCP server on LAN

                anchor "dhcpserverlan"
                pass in quick on $lan proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server on LAN"
                pass in quick on $lan proto udp from any port = 68 to 10.0.0.5 port = 67 label "allow access to DHCP server on LAN"
                pass out quick on $lan proto udp from 10.0.0.5 port = 67 to any port = 68 label "allow access to DHCP server on LAN"
                block in log quick on $wan proto udp from any port = 67 to 10.0.0.0/20 port = 68 label "block dhcp client out wan"

                LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)

                antispoof for em1

                anchor "spoofing"

                Support for allow limiting of TCP connections by establishment rate

                anchor "limitingesr"
                table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"

                let out anything from the firewall host itself and decrypted IPsec traffic

                pass out quick on $lan proto icmp keep state label "let out anything from firewall host itself"
                pass out quick on $wan proto icmp keep state label "let out anything from firewall host itself"

                tcp.closed 5 is a workaround for load balancing, squid and a few other issues.

                ticket (FEN-857512) in centipede tracker.

                pass out quick on em0 all keep state ( tcp.closed 5 ) label "let out anything from firewall host itself"

                pass traffic from firewall -> out

                anchor "firewallout"
                pass out quick on em0 all keep state label "let out anything from firewall host itself"
                pass out quick on em1 all keep state label "let out anything from firewall host itself"
                pass out quick on $enc0 keep state label "IPSEC internal host to host"

                make sure the user cannot lock himself out of the webGUI or SSH

                anchor "anti-lockout"
                pass in quick on em1 from any to 10.0.0.5 keep state label "anti-lockout web rule"

                SSH lockout

                block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"

                anchor "ftpproxy"
                anchor "pftpx/*"
                pass quick proto carp
                pass quick proto pfsync

                User-defined aliases follow

                User-defined rules follow

                pass in quick on $wan reply-to (em0 173.226.181.33) proto { tcp udp } from any to {  10.0.0.0/20 } port 1811 >< 1814 keep state  label "USER_RULE: NAT auth"
                pass in quick on $wan reply-to (em0 173.226.181.33) proto tcp from any to {  10.0.0.0/20 } port = 80 keep state  label "USER_RULE: NAT auth test"
                pass in quick on $wan reply-to (em0 173.226.181.33) proto tcp from any to {  10.0.0.0/20 } port = 443 keep state  label "USER_RULE: NAT auth test"
                pass in quick on $wan reply-to (em0 173.226.181.33) proto tcp from any to {  10.0.0.0/20 } port = 22 keep state  label "USER_RULE: NAT auth test"
                pass in quick on $wan reply-to (em0 173.226.181.33) proto tcp from any to {  10.0.0.55 } port 9004 >< 9444 keep state  label "USER_RULE: NAT aircontrol"
                pass in quick on $wan reply-to (em0 173.226.181.33) proto tcp from any to 173.226.181.34 keep state  label "USER_RULE: WAN Access"
                pass in quick on $lan from 10.0.0.0/20 to any keep state  label "USER_RULE: Default LAN -> any"

                VPN Rules

                pass in quick on em1 inet proto tcp from any to $loopback port 8021 keep state label "FTP PROXY: Allow traffic to localhost"
                pass in quick on em1 inet proto tcp from any to $loopback port 21 keep state label "FTP PROXY: Allow traffic to localhost"
                pass in quick on em0 inet proto tcp from port 20 to (em0) port > 49000 flags S/SA keep state label "FTP PROXY: PASV mode data connection"

                enable ftp-proxy

                IMSpector

                anchor "imspector"

                uPnPd

                anchor "miniupnpd"

                #–-------------------------------------------------------------------------

                default deny rules

                #---------------------------------------------------------------------------
                block in log quick all label "Default deny rule"
                block out log quick all label "Default deny rule"</sshlockout></virusprot></virusprot></snort2c></snort2c></snort2c></onetoonelist></vpns></vpns></onetoonelist></sshlockout>

                1 Reply Last reply Reply Quote 0
                • C
                  clarknova
                  last edited by

                  This looks like a VIP problem to me. You may get better help posting in the CARP/VIP section.

                  db

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.