NAT reflection and port forwards broken in RC1
-
You could start by telling us EXACTLY what you did to set it up. 'doesn't work' is not really a helpful problem description. Give us every step you did and we can help you telling where you did wrong…
-
I setup the box….add'ed the interfaces...WAN, LAN and OPT1. Gave them the relevant IP address ranges, did the rules and port forwards and put it online. Nothing came through to the relevant servers behind. Every internal website was going to the login page of PFSense. I couldnt access the sites from outside either. Despite the block-all rule coming last in the rule list. Everything was setup just like 1.2.3 and nothing worked. Gateway was given and I could access external sites just fine. It didnt change anything if I enabled or disabled the NAT reflection. Rebooted 3 times to see if it would change things...it did not. Upgrade to newer snapshots didnt work either.
-
To what is your external IP set in the port forward?
("any" would be wrong) -
Interface address….. :)
-
Please post your configuration and mask all confidential information in there. Then we can have a look at it…
-
Will set it up again this evening with the latest snap…. Deleted it in VMWare out of sheer anger :D
-
Also do some tests from outside afterwards. eg 'telnet hostname port' to see if you get a connection. For NAT reflection to work you also need to disable the check on System->Advanced->Firewall/NAT for the reflection…
If it doesn't work post your configuration or at least screenshots. If you say I set up the rules, how are we supposed to know you did everything right? Did you just add the firewall rule or also the NAT rule? More details please. Source, destination and so on. But again, just post your configuration would be easier. I am still on the first RC snap and it is working with it.
-
Will do!
-
This is my config…
Just a test setup, but still doesnt work.
<pfsense><version>7.6</version>
<lastchange><theme>pfsense_ng</theme>
<sysctl><tunable>debug.pfftpproxy</tunable>
<value>default</value>
<tunable>vfs.read_max</tunable>
<value>default</value>
<tunable>net.inet.ip.portrange.first</tunable>
<value>default</value>
<tunable>net.inet.tcp.blackhole</tunable>
<value>default</value>
<tunable>net.inet.udp.blackhole</tunable>
<value>default</value>
<tunable>net.inet.ip.random_id</tunable>
<value>default</value>
<tunable>net.inet.tcp.drop_synfin</tunable>
<value>default</value>
<tunable>net.inet.ip.redirect</tunable>
<value>default</value>
<tunable>net.inet6.ip6.redirect</tunable>
<value>default</value>
<tunable>net.inet.tcp.syncookies</tunable>
<value>default</value>
<tunable>net.inet.tcp.recvspace</tunable>
<value>default</value>
<tunable>net.inet.tcp.sendspace</tunable>
<value>default</value>
<tunable>net.inet.ip.fastforwarding</tunable>
<value>default</value>
<tunable>net.inet.tcp.delayed_ack</tunable>
<value>default</value>
<tunable>net.inet.udp.maxdgram</tunable>
<value>default</value>
<tunable>net.link.bridge.pfil_onlyip</tunable>
<value>default</value>
<tunable>net.link.bridge.pfil_member</tunable>
<value>default</value>
<tunable>net.link.bridge.pfil_bridge</tunable>
<value>default</value>
<tunable>net.link.tap.user_open</tunable>
<value>default</value>
<tunable>kern.rndtest.verbose</tunable>
<value>default</value>
<tunable>kern.randompid</tunable>
<value>default</value>
<tunable>net.inet.ip.intr_queue_maxlen</tunable>
<value>default</value>
<tunable>hw.syscons.kbd_reboot</tunable>
<value>default</value>
<tunable>net.inet.tcp.inflight.enable</tunable>
<value>default</value>
<tunable>net.inet.tcp.log_debug</tunable>
<value>default</value>
<tunable>net.inet.icmp.icmplim</tunable>
<value>default</value>
<tunable>net.inet.tcp.tso</tunable>
<value>default</value>
<tunable>kern.ipc.maxsockbuf</tunable>
<value>default</value></sysctl>
<system><optimization>normal</optimization>
<hostname>pfsense</hostname>
<domain>localdomain</domain>
<group><name>all</name><scope>system</scope>
<gid>1998</gid>
<member>0</member></group>
<group><name>admins</name><scope>system</scope>
<gid>1999</gid>
<member>0</member>
<priv>page-all</priv></group>
<user><name>admin</name><scope>system</scope>
<groupname>admins</groupname>
<password>xxxx</password>
<uid>0</uid>
<priv>user-shell-access</priv></user>
<nextuid>2000</nextuid>
<nextgid>2000</nextgid>
<timezone>Europe/Copenhagen</timezone>
<time-update-interval><timeservers>dk.pool.ntp.org</timeservers>
<webgui><protocol>http</protocol>
<ssl-certref>xxx</ssl-certref></webgui>
<maximumstates><maximumtableentries><enablebinatreflection>yes</enablebinatreflection>
<reflectiontimeout><dnsserver>8.8.8.8</dnsserver>
<dnsserver>208.67.222.222</dnsserver>
<dnsserver>195.67.199.39</dnsserver>
<dnsserver>195.67.199.40</dnsserver>
<dnsallowoverride><firmware><allowinvalidsig></allowinvalidsig></firmware>
<gitsync><branch></branch></gitsync></dnsallowoverride></reflectiontimeout></maximumtableentries></maximumstates></time-update-interval></system>
<interfaces><wan><enable><if>em0</if>
<blockpriv><blockbogons><media><mediaopt><spoofmac><ipaddr>xxx.xxx.201.114</ipaddr>
<subnet>28</subnet>
<gateway>Telia</gateway></spoofmac></mediaopt></media></blockbogons></blockpriv></enable></wan>
<lan><enable><if>em1</if>
<ipaddr>192.168.1.1</ipaddr>
<subnet>16</subnet>
<media><mediaopt></mediaopt></media></enable></lan>
<opt1><if>em2</if><enable><spoofmac><ipaddr>192.168.10.1</ipaddr>
<subnet>24</subnet></spoofmac></enable></opt1></interfaces>
<staticroutes><dhcpd><lan><range><from>192.168.1.100</from>
<to>192.168.1.199</to></range></lan></dhcpd>
<pptpd><mode><redir><localip></localip></redir></mode></pptpd>
<dnsmasq><enable><domainoverrides><domain>netxxxxxx.dk</domain>
<ip>192.168.1.1</ip></domainoverrides></enable></dnsmasq>
<snmpd><syslocation><syscontact><rocommunity>public</rocommunity></syscontact></syslocation></snmpd>
<diag><ipv6nat></ipv6nat></diag>
<bridge><syslog><nat><ipsecpassthru><enable></enable></ipsecpassthru>
<rule><source>
<any><port>25</port><destination><network>wanip</network>
<port>25</port></destination>
<protocol>tcp</protocol>
<target>ISA</target>
<local-port>25</local-port>
<interface>wan</interface>
<descr><associated-rule-id>nat_4d6f7924b70f14.73209842</associated-rule-id></descr></any></rule>
<rule><source>
<any><port>80</port><destination><network>wanip</network>
<port>80</port></destination>
<protocol>tcp</protocol>
<target>ISA</target>
<local-port>80</local-port>
<interface>wan</interface>
<descr><associated-rule-id>nat_4d6f795e7b5fa4.72362536</associated-rule-id></descr></any></rule></nat>
<filter><rule><source>
<any><port>25</port><interface>wan</interface>
<protocol>tcp</protocol>
<destination><address>ISA</address><port>25</port></destination>
<associated-rule-id>nat_4d6f7924b70f14.73209842</associated-rule-id></any></rule>
<rule><source>
<any><port>80</port><interface>wan</interface>
<protocol>tcp</protocol>
<destination><address>ISA</address><port>80</port></destination>
<associated-rule-id>nat_4d6f795e7b5fa4.72362536</associated-rule-id></any></rule>
<rule><id><type>block</type>
<interface>wan</interface>
<tag><tagged><max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp/udp</protocol>
<source>
<any><destination><any></any></destination></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule>
<rule><type>pass</type><interface>lan</interface>
<source>
<network>lan</network><destination><any></any></destination></rule></filter>
<shaper><ipsec><preferoldsa></preferoldsa></ipsec>
<aliases><alias><name>ISA</name><address>192.168.1.50</address>
<descr><type>host</type>
<detail></detail></descr></alias></aliases>
<proxyarp><cron><minute>0</minute>
<hour></hour>
<mday></mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 newsyslog
<minute>1,31</minute>
<hour>0-5</hour>
<mday></mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 adjkerntz -a
<minute>1</minute>
<hour>3</hour>
<mday>1</mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 /etc/rc.update_bogons.sh
<minute>/60</minute>
<hour></hour>
<mday></mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout
<minute>1</minute>
<hour>1</hour>
<mday></mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 /etc/rc.dyndns.update
<minute>/60</minute>
<hour></hour>
<mday></mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot
<minute>30</minute>
<hour>12</hour>
<mday></mday>
<month></month>
<wday>*</wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 /etc/rc.update_urltables</cron>
<wol><rrd><enable></enable></rrd>
<load_balancer><monitor_type><name>ICMP</name>
<type>icmp</type></monitor_type>
<monitor_type><name>TCP</name>
<type>tcp</type></monitor_type>
<monitor_type><name>HTTP</name>
<type>http</type><options><path>/</path>
<host>200</host></options></monitor_type>
<monitor_type><name>HTTPS</name>
<type>https</type><options><path>/</path>
<host>200</host></options></monitor_type>
<monitor_type><name>SMTP</name>
<type>send</type><options><send>EHLO nosuchhost</send>
<expect>250-</expect></options></monitor_type></load_balancer>
<widgets><sequence>system_information-container:col1:show,captive_portal_status-container:col1:close,carp_status-container:col1:close,cpu_graphs-container:col1:close,gateways-container:col1:close,gmirror_status-container:col1:close,installed_packages-container:col1:close,interface_statistics-container:col1:close,interfaces-container:col2:show,ipsec-container:col2:close,load_balancer_status-container:col2:close,log-container:col2:close,picture-container:col2:close,rss-container:col2:close,services_status-container:col2:close,traffic_graphs-container:col2:close</sequence></widgets>
<revision><time>1299152187</time><username>admin</username></revision>
<openvpn><l7shaper><container></container></l7shaper>
<dnshaper><cert><refid>4d6f3f19cede8</refid><crt>xxx</crt>
<prv>xxx</prv></cert>
<ppps><gateways><gateway_item><interface>wan</interface>
<gateway>xx.xxx.201.113</gateway>
<name>Telia</name>
<weight>1</weight>
<descr><defaultgw></defaultgw></descr></gateway_item></gateways></ppps></dnshaper></openvpn></wol></proxyarp></shaper></syslog></bridge></staticroutes></lastchange></pfsense> -
I may not be interpreting your config.xml correctly but it looks to me that you have configured your port forwarding rules incorrectly. For example, the rule for SMTP port forwarding apparently says source port=25 and destination port=25. It is very unlikely that an access attempt to your SMPT server will come from port 25. Sure, it will be headed for destination port 25. I think you should have a source port of Any (* in the web GUI). I didn't look at your other port forwarding rules.
-
Works fine in 1.2.3.And has been all the time.
-
External port must be any. Never does a server connect from his port 25 to 25….
-
Not even if you relay to somewhere else?
External port must be any. Never does a server connect from his port 25 to 25….
-
A connection always comes from a port >1023 to the destination service port like 80 or 25…
-
My ISP provides relay on the test setup on port 25….works like a charm.
-
It looks to me that your port forwarding rule for SMTP will match only packets arriving on the WAN interface if the source port is 25 and destination port is 25.
I think you should look closely at your firewall logs to see how many access attempts to your SMTP server come from port 25.
My SMTP port forwarding rule specifies source port=any destination port=25. My rule works. Your rule is more restrictive than mine and doesn't work.
Repeat above (with appropriate port number changes) for every port forward in which you have specified source port = destination port.
-
I have no issues at all with mail…. :) I do understand what you mean, but it works fine.
-
Wow, that is surprising that 1.2.3 works with that those port forwards. I noticed your RDP ports, and wanted to let you know you can change windows' default RDP port through the registry. Though you're achieving the same affect by using NAT, which is pretty cool :-)
So your ISP is doing NAT for you. Does that mean that when it sees a packet with a destination port 25 (or whatever), it relays/forwards it to you from port 25 making the source 25? That's a bit interesting.
-
I am only forwarding the ports….rules are sourceport range: any. :)
Sorry for my mistake...
-
Well but if you wanna use NAT reflection from a client that client will most certainly establish the connection from a highport to port 25 so you need to have any on your source port…just try that...
