NAT Forward port 80/443, not working. Resulting in TCP RST.



  • Hi,

    I've been having some issues with forwarding port 80 & 443. Other forwards work very well but not 80 / 443.

    I tried system->advanced and setting the webGUI port to 81. This didn't help.

    I also collected some wireshark and pfctl -s rules debug.

    Does anyone have any suggestions or experienced the same issues? Thanks guys!

    wireshark:  (wan-ip=85.24.188.63)

    192.168.43.79  >  85.24.188.63      TCP    http  [SYN]           -   Src Port: 13773 (13773), Dst Port: http (80), Seq: 0, Len: 0
    85.24.188.63    >  192.168.43.79    TCP    http  [SYN, ACK]   -   Src Port: http (80), Dst Port: 13773 (13773), Seq: 0, Ack: 1, Len: 0
    192.168.43.79  >  85.24.188.63      TCP    http [ACK]            -    Src Port: 13773 (13773), Dst Port: http (80), Seq: 1, Ack: 1, Len: 0
    192.168.43.79  >  85.24.188.63      HTTP  GET / HTTP/1.1
    85.24.188.63    >  192.168.43.79    TCP    http [RST, ACK]    -   Src Port: http (80), Dst Port: 13773 (13773), Seq: 1, Ack: 341, Len: 0

    pfctl -s rules:

    scrub in on igb1 all fragment reassemble
    scrub in on igb0 all fragment reassemble
    anchor "relayd/" all
    block drop in log all label "Default deny rule"
    block drop out log all label "Default deny rule"
    block drop quick proto tcp from any port = 0 to any
    block drop quick proto tcp from any to any port = 0
    block drop quick proto udp from any port = 0 to any
    block drop quick proto udp from any to any port = 0
    block drop quick from <snort2c>to any label "Block snort2c hosts"
    block drop quick from any to <snort2c>label "Block snort2c hosts"
    block drop in log quick proto tcp from <sshlockout>to any port = ssh label "sshlockout"
    block drop in log quick proto tcp from <webconfiguratorlockout>to any port = hosts2-ns label "webConfiguratorlockout"
    block drop in quick from <virusprot>to any label "virusprot overload table"
    block drop in log quick on igb1 from <bogons>to any label "block bogon networks from WAN"
    block drop in on ! igb1 inet from 85.24.188.0/23 to any
    block drop in inet from 85.24.188.63 to any
    block drop in on igb1 inet6 from fe80::92e2:baff:fe05:639b to any
    block drop in log quick on igb1 inet from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
    block drop in log quick on igb1 inet from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
    block drop in log quick on igb1 inet from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
    block drop in log quick on igb1 inet from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
    pass in on igb1 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN"
    pass out on igb1 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN"
    block drop in on ! igb0 inet from 192.168.1.0/24 to any
    block drop in inet from 192.168.1.1 to any
    block drop in on igb0 inet6 from fe80::92e2:baff:fe05:639a to any
    pass in quick on igb0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
    pass in quick on igb0 inet proto udp from any port = bootpc to 192.168.1.1 port = bootps keep state label "allow access to DHCP server"
    pass out quick on igb0 inet proto udp from 192.168.1.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
    pass in on lo0 all flags S/SA keep state label "pass loopback"
    pass out on lo0 all flags S/SA keep state label "pass loopback"
    pass out all flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to (igb1 85.24.188.1) inet from 85.24.188.63 to ! 85.24.188.0/23 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    anchor "userrules/
    " all
    pass in quick on igb1 reply-to (igb1 85.24.188.1) inet proto tcp from any to 192.168.1.250 port = ssh flags S/SA keep state label "USER_RULE: NAT server: ssh"
    pass in quick on igb1 reply-to (igb1 85.24.188.1) inet proto tcp from any to 192.168.1.250 port = 8887 flags S/SA keep state label "USER_RULE: NAT server: i2p"
    pass in quick on igb1 reply-to (igb1 85.24.188.1) inet proto udp from any to 192.168.1.250 port = 8887 keep state label "USER_RULE: NAT server: i2p"
    pass in quick on igb1 reply-to (igb1 85.24.188.1) inet proto tcp from any to 192.168.1.250 port = 9001 flags S/SA keep state label "USER_RULE: NAT server: tor"
    pass in quick on igb1 reply-to (igb1 85.24.188.1) inet proto udp from any to 192.168.1.250 port = 9001 keep state label "USER_RULE: NAT server: tor"
    pass in quick on igb1 reply-to (igb1 85.24.188.1) inet proto tcp from any to 192.168.1.250 port = 9030 flags S/SA keep state label "USER_RULE: NAT server: tor"
    pass in quick on igb1 reply-to (igb1 85.24.188.1) inet proto udp from any to 192.168.1.250 port = 9030 keep state label "USER_RULE: NAT server: tor"
    pass in quick on igb1 reply-to (igb1 85.24.188.1) inet proto tcp from any to 192.168.1.100 port = 7887 flags S/SA keep state label "USER_RULE: NAT x79: i2p"
    pass in quick on igb1 reply-to (igb1 85.24.188.1) inet proto udp from any to 192.168.1.100 port = 7887 keep state label "USER_RULE: NAT x79: i2p"
    pass in quick on igb1 reply-to (igb1 85.24.188.1) inet proto tcp from any to 192.168.1.99 port = http flags S/SA keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View"
    pass in quick on igb0 inet from 192.168.1.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
    pass in quick on igb1 reply-to (igb1 85.24.188.1) inet proto tcp from any to 192.168.1.1 port = http flags S/SA keep state label "USER_RULE: NAT "
    pass in quick on igb1 reply-to (igb1 85.24.188.1) inet proto tcp from any to 192.168.1.99 port = http flags S/SA keep state label "USER_RULE: NAT h"
    pass in quick on igb1 reply-to (igb1 85.24.188.1) inet proto tcp from any to 192.168.1.99 port = https flags S/SA keep state label "USER_RULE: NAT h"
    anchor "tftp-proxy/*" all
    anchor "miniupnpd" all</bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c>


Log in to reply