NAT reflection and port forwards broken in RC1


  • Banned

    Build 20110226-1530 and the update that follows!

    Just FYI.

    It did work for a short time on BETA5.



  • +1
    Port forwarding does not work in RC-1.
    Is this fixed in the latest snapshot?


  • Banned

    I upgraded and it still doesnt work….



  • Can you be more explicit.
    Provide information otherwise this is not the place for runting.


  • Banned

    I dont see anything in the logs….the packets are silently dropped and I only get the loginscreen of Pfsense no matter if I turn on reflection or not.

    Tell me where to look and what I shall look for. Its basic routing that gets lost...

    Running VmWare without VmTools installed. 3 Nics. WAN, LAN and OPT1


  • LAYER 8 Global Moderator

    Port forwards are NOT broken that is for sure – I clearly accessed my ssh box from outside my network yesterday, 22 is forwarded inbound to 192.168.1.6, lan ip of pfsense is .253

    I just tested nat reflection and it is working as well

    C:\Windows\System32>ssh snipped.homeip.net
    Could not create directory '/home/snipped/.ssh'.
    The authenticity of host 'snipped.homeip.net (24.14.xx.xx)' can't be established.
    RSA key fingerprint is 99:19:09:bd:50:98:74:ce:89:97:35:70:e4:8d:1b:ed.
    Are you sure you want to continue connecting (yes/no)?

    this is from my home windows box on .100, clearly hitting the public IP 24.14 and being reflected back into my sshd box on 192.168.1.6

    If you saying something is broken, your going to have to give details of exactly what does not work, and hopefully and example showing it NOT working, etc.

    currently on snap
    2.0-RC1 (i386)
    built on Mon Feb 28 18:12:00 EST 2011

    edit:  Sounds like your on VM, what are you trying to reflect or forward to?  Another VM on the same host?  I had all kinds of issues with both 1.2.3, and the 2.0 betas with port forwarding to other vms on the same host -- could never get it to work.. I have thread about it in the vm section, never got a response with a solution - I dropped the whole thing of running it on vm for this reason.


  • Banned

    1.2.3 works no issues at all. It has nothing to do with anything that is VM related.

    2.0RC1 does not work for me. If I replace it with 1.2.3, it runs no issues. Same config, same rules. I dont get any logs of anything related to this on RC1. It doesnt get blocked, it passes, but dissapears.



  • Probably firewall rule issue?


  • Banned

    Nope….the block all rule comes in the bottom.....the same rule setup apllies with no issues in 1.2.3


  • LAYER 8 Global Moderator

    and again you have given NO details of what is not working..

    Both forwards and nat reflection work as they should on my install. So clearly its not broken in the general code, but something specific to your setup/snap?  But without specific details, how can anyone help you find the problem?

    I have been using multiple forwards since I started playing with the 2.0 betas, and use them almost every day - and have never seen an issue with any of the snaps I have played with.

    Unless other people come forward and say theirs are not working as well, and give some details I really don't see how anyone can either find the bug in the code or help you with your specific problem?

    You say its working in 1.2.3, are you doing a clean install of 2.0 or trying to upgrade and install your rules/settings into the 2.0 instance?



  • Again? Come on guys…
    Everytime someone said that NAT reflection was not working with the beta it actually did...
    Right now I tested port forwarding to an internal web server which works. Also NAT reflection from WLAN->LAN with my external web servers hostname works flawlessly...

    I don't now what you guys are doing wrong all the time...

    I am using 2.0-RC1 (i386) built on Mon Feb 28 14:28:32 EST 2011 btw...


  • Banned

    I dont see anything in the logs….I am actually asking kindly about help to find info that is related to the matter.

    How the hell should I be able to answer what is wrong, when it doesnt tell me anything?

    It is a fresh install from scratch on 2.0 RC1 and the 1.2.3 machine is both running in the same VM environment. FreeBSD 32bit.

    So unless you can tell me where to find logs that tells me what is wrong, then I suggest you take it easy.

    Try to help instead of patronizing me...



  • You could start by telling us EXACTLY what you did to set it up. 'doesn't work' is not really a helpful problem description. Give us every step you did and we can help you telling where you did wrong…


  • Banned

    I setup the box….add'ed the interfaces...WAN, LAN and OPT1. Gave them the relevant IP address ranges, did the rules and port forwards and put it online. Nothing came through to the relevant servers behind. Every internal website was going to the login page of PFSense. I couldnt access the sites from outside either. Despite the block-all rule coming last in the rule list. Everything was setup just like 1.2.3 and nothing worked. Gateway was given and I could access external sites just fine. It didnt change anything if I enabled or disabled the NAT reflection. Rebooted 3 times to see if it would change things...it did not. Upgrade to newer snapshots didnt work either.



  • To what is your external IP set in the port forward?
    ("any" would be wrong)


  • Banned

    Interface address….. :)



  • Please post your configuration and mask all confidential information in there. Then we can have a look at it…


  • Banned

    Will set it up again this evening with the latest snap…. Deleted it in VMWare out of sheer anger :D



  • Also do some tests from outside afterwards. eg 'telnet hostname port' to see if you get a connection. For NAT reflection to work you also need to disable the check on System->Advanced->Firewall/NAT for the reflection…

    If it doesn't work post your configuration or at least screenshots. If you say I set up the rules, how are we supposed to know you did everything right? Did you just add the firewall rule or also the NAT rule? More details please. Source, destination and so on. But again, just post your configuration would be easier. I am still on the first RC snap and it is working with it.


  • Banned

    Will do!


  • Banned

    This is my config…

    Just a test setup, but still doesnt work.

    <pfsense><version>7.6</version>
    <lastchange><theme>pfsense_ng</theme>
    <sysctl><tunable>debug.pfftpproxy</tunable>
    <value>default</value>
    <tunable>vfs.read_max</tunable>
    <value>default</value>
    <tunable>net.inet.ip.portrange.first</tunable>
    <value>default</value>
    <tunable>net.inet.tcp.blackhole</tunable>
    <value>default</value>
    <tunable>net.inet.udp.blackhole</tunable>
    <value>default</value>
    <tunable>net.inet.ip.random_id</tunable>
    <value>default</value>
    <tunable>net.inet.tcp.drop_synfin</tunable>
    <value>default</value>
    <tunable>net.inet.ip.redirect</tunable>
    <value>default</value>
    <tunable>net.inet6.ip6.redirect</tunable>
    <value>default</value>
    <tunable>net.inet.tcp.syncookies</tunable>
    <value>default</value>
    <tunable>net.inet.tcp.recvspace</tunable>
    <value>default</value>
    <tunable>net.inet.tcp.sendspace</tunable>
    <value>default</value>
    <tunable>net.inet.ip.fastforwarding</tunable>
    <value>default</value>
    <tunable>net.inet.tcp.delayed_ack</tunable>
    <value>default</value>
    <tunable>net.inet.udp.maxdgram</tunable>
    <value>default</value>
    <tunable>net.link.bridge.pfil_onlyip</tunable>
    <value>default</value>
    <tunable>net.link.bridge.pfil_member</tunable>
    <value>default</value>
    <tunable>net.link.bridge.pfil_bridge</tunable>
    <value>default</value>
    <tunable>net.link.tap.user_open</tunable>
    <value>default</value>
    <tunable>kern.rndtest.verbose</tunable>
    <value>default</value>
    <tunable>kern.randompid</tunable>
    <value>default</value>
    <tunable>net.inet.ip.intr_queue_maxlen</tunable>
    <value>default</value>
    <tunable>hw.syscons.kbd_reboot</tunable>
    <value>default</value>
    <tunable>net.inet.tcp.inflight.enable</tunable>
    <value>default</value>
    <tunable>net.inet.tcp.log_debug</tunable>
    <value>default</value>
    <tunable>net.inet.icmp.icmplim</tunable>
    <value>default</value>
    <tunable>net.inet.tcp.tso</tunable>
    <value>default</value>
    <tunable>kern.ipc.maxsockbuf</tunable>
    <value>default</value></sysctl>
    <system><optimization>normal</optimization>
    <hostname>pfsense</hostname>
    <domain>localdomain</domain>
    <group><name>all</name>

    <scope>system</scope>
    <gid>1998</gid>
    <member>0</member></group>
    <group><name>admins</name>

    <scope>system</scope>
    <gid>1999</gid>
    <member>0</member>
    <priv>page-all</priv></group>
    <user><name>admin</name>

    <scope>system</scope>
    <groupname>admins</groupname>
    <password>xxxx</password>
    <uid>0</uid>
    <priv>user-shell-access</priv></user>
    <nextuid>2000</nextuid>
    <nextgid>2000</nextgid>
    <timezone>Europe/Copenhagen</timezone>
    <time-update-interval><timeservers>dk.pool.ntp.org</timeservers>
    <webgui><protocol>http</protocol>
    <ssl-certref>xxx</ssl-certref></webgui>
    <maximumstates><maximumtableentries><enablebinatreflection>yes</enablebinatreflection>
    <reflectiontimeout><dnsserver>8.8.8.8</dnsserver>
    <dnsserver>208.67.222.222</dnsserver>
    <dnsserver>195.67.199.39</dnsserver>
    <dnsserver>195.67.199.40</dnsserver>
    <dnsallowoverride><firmware><allowinvalidsig></allowinvalidsig></firmware>
    <gitsync><branch></branch></gitsync></dnsallowoverride></reflectiontimeout></maximumtableentries></maximumstates></time-update-interval></system>
    <interfaces><wan><enable><if>em0</if>
    <blockpriv><blockbogons><media><mediaopt><spoofmac><ipaddr>xxx.xxx.201.114</ipaddr>
    <subnet>28</subnet>
    <gateway>Telia</gateway></spoofmac></mediaopt></media></blockbogons></blockpriv></enable></wan>
    <lan><enable><if>em1</if>
    <ipaddr>192.168.1.1</ipaddr>
    <subnet>16</subnet>
    <media><mediaopt></mediaopt></media></enable></lan>
    <opt1><if>em2</if>

    <enable><spoofmac><ipaddr>192.168.10.1</ipaddr>
    <subnet>24</subnet></spoofmac></enable></opt1></interfaces>
    <staticroutes><dhcpd><lan><range><from>192.168.1.100</from>
    <to>192.168.1.199</to></range></lan></dhcpd>
    <pptpd><mode><redir><localip></localip></redir></mode></pptpd>
    <dnsmasq><enable><domainoverrides><domain>netxxxxxx.dk</domain>
    <ip>192.168.1.1</ip></domainoverrides></enable></dnsmasq>
    <snmpd><syslocation><syscontact><rocommunity>public</rocommunity></syscontact></syslocation></snmpd>
    <diag><ipv6nat></ipv6nat></diag>
    <bridge><syslog><nat><ipsecpassthru><enable></enable></ipsecpassthru>
    <rule><source>
    <any><port>25</port>

    <destination><network>wanip</network>
    <port>25</port></destination>
    <protocol>tcp</protocol>
    <target>ISA</target>
    <local-port>25</local-port>
    <interface>wan</interface>
    <descr><associated-rule-id>nat_4d6f7924b70f14.73209842</associated-rule-id></descr></any></rule>
    <rule><source>
    <any><port>80</port>

    <destination><network>wanip</network>
    <port>80</port></destination>
    <protocol>tcp</protocol>
    <target>ISA</target>
    <local-port>80</local-port>
    <interface>wan</interface>
    <descr><associated-rule-id>nat_4d6f795e7b5fa4.72362536</associated-rule-id></descr></any></rule></nat>
    <filter><rule><source>
    <any><port>25</port>

    <interface>wan</interface>
    <protocol>tcp</protocol>
    <destination><address>ISA</address>

    <port>25</port></destination>

    <associated-rule-id>nat_4d6f7924b70f14.73209842</associated-rule-id></any></rule>
    <rule><source>
    <any><port>80</port>

    <interface>wan</interface>
    <protocol>tcp</protocol>
    <destination><address>ISA</address>

    <port>80</port></destination>

    <associated-rule-id>nat_4d6f795e7b5fa4.72362536</associated-rule-id></any></rule>
    <rule><id><type>block</type>
    <interface>wan</interface>
    <tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp/udp</protocol>
    <source>
    <any><destination><any></any></destination></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule>
    <rule><type>pass</type>

    <interface>lan</interface>
    <source>
    <network>lan</network>

    <destination><any></any></destination></rule></filter>
    <shaper><ipsec><preferoldsa></preferoldsa></ipsec>
    <aliases><alias><name>ISA</name>

    <address>192.168.1.50</address>

    <descr><type>host</type>
    <detail></detail></descr></alias></aliases>
    <proxyarp><cron><minute>0</minute>
    <hour></hour>
    <mday>
    </mday>
    <month></month>
    <wday>
    </wday>
    <who>root</who>
    <command></command>/usr/bin/nice -n20 newsyslog
    <minute>1,31</minute>
    <hour>0-5</hour>
    <mday></mday>
    <month>
    </month>
    <wday></wday>
    <who>root</who>
    <command></command>/usr/bin/nice -n20 adjkerntz -a
    <minute>1</minute>
    <hour>3</hour>
    <mday>1</mday>
    <month>
    </month>
    <wday></wday>
    <who>root</who>
    <command></command>/usr/bin/nice -n20 /etc/rc.update_bogons.sh
    <minute>
    /60</minute>
    <hour></hour>
    <mday>
    </mday>
    <month></month>
    <wday>
    </wday>
    <who>root</who>
    <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout
    <minute>1</minute>
    <hour>1</hour>
    <mday></mday>
    <month>
    </month>
    <wday></wday>
    <who>root</who>
    <command></command>/usr/bin/nice -n20 /etc/rc.dyndns.update
    <minute>
    /60</minute>
    <hour></hour>
    <mday>
    </mday>
    <month></month>
    <wday>
    </wday>
    <who>root</who>
    <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot
    <minute>30</minute>
    <hour>12</hour>
    <mday></mday>
    <month>
    </month>
    <wday>*</wday>
    <who>root</who>
    <command></command>/usr/bin/nice -n20 /etc/rc.update_urltables</cron>
    <wol><rrd><enable></enable></rrd>
    <load_balancer><monitor_type><name>ICMP</name>
    <type>icmp</type></monitor_type>
    <monitor_type><name>TCP</name>
    <type>tcp</type></monitor_type>
    <monitor_type><name>HTTP</name>
    <type>http</type>

    <options><path>/</path>
    <host>200</host></options></monitor_type>
    <monitor_type><name>HTTPS</name>
    <type>https</type>

    <options><path>/</path>
    <host>200</host></options></monitor_type>
    <monitor_type><name>SMTP</name>
    <type>send</type>

    <options><send>EHLO nosuchhost</send>
    <expect>250-</expect></options></monitor_type></load_balancer>
    <widgets><sequence>system_information-container:col1:show,captive_portal_status-container:col1:close,carp_status-container:col1:close,cpu_graphs-container:col1:close,gateways-container:col1:close,gmirror_status-container:col1:close,installed_packages-container:col1:close,interface_statistics-container:col1:close,interfaces-container:col2:show,ipsec-container:col2:close,load_balancer_status-container:col2:close,log-container:col2:close,picture-container:col2:close,rss-container:col2:close,services_status-container:col2:close,traffic_graphs-container:col2:close</sequence></widgets>
    <revision><time>1299152187</time>

    <username>admin</username></revision>
    <openvpn><l7shaper><container></container></l7shaper>
    <dnshaper><cert><refid>4d6f3f19cede8</refid>

    <crt>xxx</crt>
    <prv>xxx</prv></cert>
    <ppps><gateways><gateway_item><interface>wan</interface>
    <gateway>xx.xxx.201.113</gateway>
    <name>Telia</name>
    <weight>1</weight>
    <descr><defaultgw></defaultgw></descr></gateway_item></gateways></ppps></dnshaper></openvpn></wol></proxyarp></shaper></syslog></bridge></staticroutes></lastchange></pfsense>



  • I may not be interpreting your config.xml correctly but it looks to me that you have configured your port forwarding rules incorrectly. For example, the rule for SMTP port forwarding apparently says source port=25 and destination port=25. It is very unlikely that an access attempt to your SMPT server will come from port 25. Sure, it will be headed for destination port 25. I think you should have a source port of Any (* in the web GUI). I didn't look at your other port forwarding rules.


  • Banned

    Works fine in 1.2.3.And has been all the time.




  • External port must be any. Never does a server connect from his port 25 to 25….


  • Banned

    Not even if you relay to somewhere else?

    @jlepthien:

    External port must be any. Never does a server connect from his port 25 to 25….



  • A connection always comes from a port >1023 to the destination service port like 80 or 25…


  • Banned

    My ISP provides relay on the test setup on port 25….works like a charm.



  • It looks to me that your port forwarding rule for SMTP will match only packets arriving on the WAN interface if the source port is 25 and destination port is 25.

    I think you should look closely at your firewall logs to see how many access attempts to your SMTP server come from port 25.

    My SMTP port forwarding rule specifies source port=any destination port=25. My rule works. Your rule is more restrictive than mine and doesn't work.

    Repeat above (with appropriate port number changes) for every port forward in which you have specified source port = destination port.


  • Banned

    I have no issues at all with mail…. :) I do understand what you mean, but it works fine.



  • Wow, that is surprising that 1.2.3 works with that those port forwards. I noticed your RDP ports, and wanted to let you know you can change windows' default RDP port through the registry. Though you're achieving the same affect by using NAT, which is pretty cool :-)

    So your ISP is doing NAT for you. Does that mean that when it sees a packet with a destination port 25 (or whatever), it relays/forwards it to you from port 25 making the source 25? That's a bit interesting.


  • Banned

    I am only forwarding the ports….rules are sourceport range: any. :)

    Sorry for my mistake...




  • Well but if you wanna use NAT reflection from a client that client will most certainly establish the connection from a highport to port 25 so you need to have any on your source port…just try that...



  • The WAN rule only lets the packet in, once the packet is in it still has the original source port. So with your port forwards set to have the source port the same as the destination port, normally that wouldn't work. Like others have said when a server/service sends packets out, it is not always, or never, leaving from the same port as your server/service is listening on. I will post later and show firewall logs as an example.

    Could you explain a little further by what you mean when you say your ISP is relaying?

    Also you said your 1.2.3 has the same settings as your RC1, are they both virtual machines or is your 1.2.3 a physical machine?


  • Banned

    Both virtual….

    My mailserver in the tesat setup is relayed by my ISP. I have to use their mailserver for relay...Everything is broadcasted on port25.

    I dont  have any issues running 1.2.3 at all. It works fine and have always done exactly that.


  • Netgate Administrator

    Seems to be a lot of confusion between firewall rules and Port Forward rules here.

    External port must be any. Never does a server connect from his port 25 to 25….

    That's clearly wrong. If that were true then you'd port forwarding packets arriving on WAN on ANY port to your internal SMTP server.  ::)

    The above quote is true for firewall rules though but the posted table is port forwarding.

    Steve

    Edit: It's correct that the source port won't be 25 but that's not relevant to port forwarding.



  • Looking at your config, your NAT port forwards say Destination: WANIP, but your WAN rules show Destination: 192.168.1.50 (ISA).

    Maybe change your portfoward Destination: Any…  or to ISA instead of WAN.

    So your rules will allow anything with the destination ISA, but your port forward only forwards when they have the destination of WANIP, your rules aren't allowing such packets in.

    I don't remember 1.2.3 giving you the option of specifying the Destination IP like 2.0 does for port forwards.


  • Netgate Administrator

    Surely packets arriving on WAN are going to have destination WANIP otherwise they wouldn't arrive!?

    Does 'destination' in config.xml not correspond to 'IF' in the GUI table?
    Edit: Scrub that. Clearly not!  :-[

    Packets hit the port forwarder before the firewall.

    Steve



  • Is that true, the packets hit the port forwarder before the rules are applied? Wouldn't that over-work the firewall for the masses of hits we get from china? Well my CPU load is never over 1% so I guess not, but good to know that is how it works.



  • Well China won't kill you because there are no NAT rules in place besides the ones you specify…



  • I just figured it still checks all requests against the port forwards to see if they match, and it would be that checking causing usage. I only have about 10 port forwards, but I figured if somebody had maybe 20 port forwards, maybe 100+ hits a minute to check against 20 rules, that would add up. But like I said I never get over 1% used so I guess not.

    I just never knew that it went through port forwards first, very good to know though lol. I can adjust my WAN rule set accordingly.


Log in to reply