Port forwarding not (always) working in VM



  • Hello

    Current networking setup:

    (external IP)Modem/router(192.168.0.0/24) ==> Server(with pfSense VM in VirtualBox(internal network 192.168.123.0/24) ==> Switch ==> LAN HOSTS

    The Modem/Router has the WAN IP of the pfSense Router in it's DMZ so all traffic is forwarded to the pfSense Router.

    At the moment I've got pfSense version RC1 (also tried latest version same problem) running in VirtualBox on my server. This server has 2 NICs (eth0 (LAN) and eth1 (connected to modem/router)).

    nic1 to bridge eth0 (192.168.123.10) ==> becomes em0 in pfSense (virtual IP: 192.168.2.1)
    nic2 to bridge eth1 (192.168.0.114) ==> becomes em1 in pfSense (virtual IP: 192.168.0.107)

    I'm using the nictype "Intel PRO/1000 MT Desktop (82540EM)" in pfsense it's recognized as "Intel PRO/1000 Legacy Network Adapter 1.0.3 not that this is important cause I also tried other virtual nics.

    Current NAT Port Forward rule and associated rule:

    As you can see I want to redirect port 50122 to port 80 and sent this to 192.168.123.10 (server IP interface: eth0)

    I then used a port checker tool on the internet to see if it's working. In the system logs of pfSense I can see that the redirection is a success. (I checked the port 3 times, that's why you see 3 lines)

    So I check the logs on my server to see if I can find the corresponding packets. On my server I've got ufw running which HAS NOT got port 80 ALLOWED. I did this on purpose, because this way I can check the ufw logs if the packet is there. However when I check my log file I can't find a rule. Which means the packet never even arrived!

    As you can see I filtered on DPT=80 and the corresponding packet isn't there.

    Does anyone know a solution that port forwarding is actually working on a VM??!!

    Thanks!

    Grtz

    edit: bridging the modem/router is NOT an option since it belongs to the ISP and I can't access that option.



  • I think using tcpdump is a better way see if the packet is getting to the server. You can also run tcpdump from the pfSense GUI also so that you can check packet passage on the FW.



  • Ok this is what I've done. I enabled port 80 on the server: command: sudo ufw allow from any to any port 80.

    Next I've simulated the packet with tcpdump on the pfSense and the server as you asked me to.

    TCPDump pfSense:

    TCPDump Server:

    Error message port checker www.canyouseeme.org (8.23.224.110)

    I'm running apache2 on the server and 192.168.2.100 is the client I used to check the port.

    Looks like the packet is actually arriving on the server, but why doesn't it see my open port? Sometimes when I reboot the server and VM it works, but the next time I boot it doesn't anymore.

    Thanks for helping me.

    Grtz



  • I think there's something wrong with the local server or with the bridging of the interface. I just tested a client machine on my LAN and port forwarding is working without any problems. I guess I have to reinstall my complete server then to test if it works then… damn... :(. It's so strange because when I open ports on my server and check inside my local LAN then there's no problem at all. I think it's the bridging that is causing the problem?

    Does anyone have the same setup like me and does it work for you?

    Thanks

    Grtz



  • I am still a little unsure of your setup. I get that you are running this on virtual box, which is okay, but imo virtual box networking is somewhat lacking and needs work. Don't get me wrong, I loves me some virtual box. I use it as part of a desktop replacement machine. Also, on your server, turn off the local firewall and see if that is causing you grief.



  • Do you think so? Maybe you have a better setup like me then, can you tell me what I could change. I wanted a server + router, that's why I virtualized pfsense. Also this way it's also a bit more seperated.

    Btw, already tried to turn off ufw, but that's giving me the same error. Sometimes open and most of the time closed.

    Thanks for the reply.


  • Rebel Alliance Global Moderator

    You know I tried this quite some time ago, and was not working on vmware 2.0 server - forwards would not work to devices that were using a bridged interface on the HOST machine.  But to other physical devices in the network it would work.

    I gave up, since fowarding to other virtual machines is a requirement for me.

    Now I have moved away from vmware 2.0 server, hardware is not capable of running esxi – and I know virtual box has recently enabled promiscuous option.  So I might have to re attempt this..

    Here was my old thread
    http://forum.pfsense.org/index.php/topic,27599.0.html


Locked