Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall pin hole question

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    4 Posts 1 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tommyboy180
      last edited by

      I have a server behind pfsense that I created a pin hole for in 1.2.3 before I upgraded.
      Version built on Tue Mar 15 08:53:58 EDT 2011

      Here is what one of my pin hole configs looked like:

       <rule><protocol>tcp</protocol>
			<target>192.168.1.115</target>
			<local-port>22</local-port>
			<interface>wan</interface>

			<source>
				 <any><port><destination><port>222</port>
				<network>wanip</network></destination></port></any></rule>

      The above code is for an ssh server running on port 22 but the wan accepts TCP packets on port 222. This is from 1.2.3 that is now in my 2.0 config.

      I tried the same thing for another server. Note this is a new rule created within 2.0.

       <rule><source>
				 <any><destination><network>wanip</network>
				<port>8080</port></destination> 
			<protocol>tcp</protocol>
			<target>192.168.1.102</target>
			<local-port>4040</local-port>
			<interface>wan</interface>

			<associated-rule-id>nat_4d815dd0cb6bd4.83257174</associated-rule-id></any></rule>

      The 2.0 rule for server 1.102 is not working correctly. The server runs on 4040 but the WAN accepts TCP packets from port 8080. Why isn't this working?

      -Tom Schaefer
      SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

      Please support pfBlocker | File Browser | Strikeback

      1 Reply Last reply Reply Quote 0
      • T
        tommyboy180
        last edited by

        Okay I attempted to modify the config manulally to correct the problem.

        I changed the NAT entry for 1.102 like so:
        Orginal:```
        <rule><source>
        <any><destination><network>wanip</network>
        <port>8080</port></destination>
        <protocol>tcp</protocol>
        <target>192.168.1.102</target>
        <local-port>4040</local-port>
        <interface>wan</interface>

        		<associated-rule-id>nat_4d815dd0cb6bd4.83257174</associated-rule-id></any></rule> 

        
To modified:

        <rule><protocol>tcp</protocol>
        <target>192.168.1.102</target>
        <local-port>4040</local-port>
        <interface>wan</interface>

        		<source>
			 <any><port><destination><port>8080</port>
			<network>wanip</network></destination> 
		<associated-rule-id>nat_4d815dd0cb6bd4.83257174</associated-rule-id></port></any></rule> 

        
Now the firewall entries.
Original:```
 <rule><source>
				 <any><interface>wan</interface>
			<protocol>tcp</protocol>
			 <destination><address>192.168.1.102</address>

				<port>4040</port></destination> 

			<associated-rule-id>nat_4d815dd0cb6bd4.83257174</associated-rule-id></any></rule>

        To modified:

         <rule><type>pass</type>
			<interface>wan</interface>
			 <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
			 <os><protocol>tcp</protocol>
			<source>
				 <any><destination><address>192.168.1.102</address>

				<port>4040</port></destination> 

			<associated-rule-id>nat_4d815dd0cb6bd4.83257174</associated-rule-id></any></os></statetimeout></max-src-states></max-src-nodes></rule>

        And now it works! Really why??

        -Tom Schaefer
        SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

        Please support pfBlocker | File Browser | Strikeback

        1 Reply Last reply Reply Quote 0
        • T
          tommyboy180
          last edited by

          Now my pptp VPN is working again just because I manually modified the config to match the 1.2.3 legacy rules.

          Why does 2.0 create those xml rules in a way that breaks the firewall pinhole and other things like pptp? What can I do to correct this for other firewall pinhole that I will create in the future without manually editing the config.xml?

          -Tom Schaefer
          SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

          Please support pfBlocker | File Browser | Strikeback

          1 Reply Last reply Reply Quote 0
          • T
            tommyboy180
            last edited by

            I was hoping someone could tell me if they are experiancing the problem or maybe someone could shed some light on the issue. Thoughts?

            -Tom Schaefer
            SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

            Please support pfBlocker | File Browser | Strikeback

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.