Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT Forward port 80/443, not working. Resulting in TCP RST.

    Scheduled Pinned Locked Moved NAT
    1 Posts 1 Posters 4.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hottuna
      last edited by

      Hi,

      I've been having some issues with forwarding port 80 & 443. Other forwards work very well but not 80 / 443.

      I tried system->advanced and setting the webGUI port to 81. This didn't help.

      I also collected some wireshark and pfctl -s rules debug.

      Does anyone have any suggestions or experienced the same issues? Thanks guys!

      wireshark:  (wan-ip=85.24.188.63)

      192.168.43.79  >  85.24.188.63      TCP    http  [SYN]           -   Src Port: 13773 (13773), Dst Port: http (80), Seq: 0, Len: 0
      85.24.188.63    >  192.168.43.79    TCP    http  [SYN, ACK]   -   Src Port: http (80), Dst Port: 13773 (13773), Seq: 0, Ack: 1, Len: 0
      192.168.43.79  >  85.24.188.63      TCP    http [ACK]            -    Src Port: 13773 (13773), Dst Port: http (80), Seq: 1, Ack: 1, Len: 0
      192.168.43.79  >  85.24.188.63      HTTP  GET / HTTP/1.1
      85.24.188.63    >  192.168.43.79    TCP    http [RST, ACK]    -   Src Port: http (80), Dst Port: 13773 (13773), Seq: 1, Ack: 341, Len: 0

      pfctl -s rules:

      scrub in on igb1 all fragment reassemble
      scrub in on igb0 all fragment reassemble
      anchor "relayd/" all
      block drop in log all label "Default deny rule"
      block drop out log all label "Default deny rule"
      block drop quick proto tcp from any port = 0 to any
      block drop quick proto tcp from any to any port = 0
      block drop quick proto udp from any port = 0 to any
      block drop quick proto udp from any to any port = 0
      block drop quick from <snort2c>to any label "Block snort2c hosts"
      block drop quick from any to <snort2c>label "Block snort2c hosts"
      block drop in log quick proto tcp from <sshlockout>to any port = ssh label "sshlockout"
      block drop in log quick proto tcp from <webconfiguratorlockout>to any port = hosts2-ns label "webConfiguratorlockout"
      block drop in quick from <virusprot>to any label "virusprot overload table"
      block drop in log quick on igb1 from <bogons>to any label "block bogon networks from WAN"
      block drop in on ! igb1 inet from 85.24.188.0/23 to any
      block drop in inet from 85.24.188.63 to any
      block drop in on igb1 inet6 from fe80::92e2:baff:fe05:639b to any
      block drop in log quick on igb1 inet from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
      block drop in log quick on igb1 inet from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
      block drop in log quick on igb1 inet from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
      block drop in log quick on igb1 inet from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
      pass in on igb1 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN"
      pass out on igb1 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN"
      block drop in on ! igb0 inet from 192.168.1.0/24 to any
      block drop in inet from 192.168.1.1 to any
      block drop in on igb0 inet6 from fe80::92e2:baff:fe05:639a to any
      pass in quick on igb0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
      pass in quick on igb0 inet proto udp from any port = bootpc to 192.168.1.1 port = bootps keep state label "allow access to DHCP server"
      pass out quick on igb0 inet proto udp from 192.168.1.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
      pass in on lo0 all flags S/SA keep state label "pass loopback"
      pass out on lo0 all flags S/SA keep state label "pass loopback"
      pass out all flags S/SA keep state allow-opts label "let out anything from firewall host itself"
      pass out route-to (igb1 85.24.188.1) inet from 85.24.188.63 to ! 85.24.188.0/23 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
      anchor "userrules/
      " all
      pass in quick on igb1 reply-to (igb1 85.24.188.1) inet proto tcp from any to 192.168.1.250 port = ssh flags S/SA keep state label "USER_RULE: NAT server: ssh"
      pass in quick on igb1 reply-to (igb1 85.24.188.1) inet proto tcp from any to 192.168.1.250 port = 8887 flags S/SA keep state label "USER_RULE: NAT server: i2p"
      pass in quick on igb1 reply-to (igb1 85.24.188.1) inet proto udp from any to 192.168.1.250 port = 8887 keep state label "USER_RULE: NAT server: i2p"
      pass in quick on igb1 reply-to (igb1 85.24.188.1) inet proto tcp from any to 192.168.1.250 port = 9001 flags S/SA keep state label "USER_RULE: NAT server: tor"
      pass in quick on igb1 reply-to (igb1 85.24.188.1) inet proto udp from any to 192.168.1.250 port = 9001 keep state label "USER_RULE: NAT server: tor"
      pass in quick on igb1 reply-to (igb1 85.24.188.1) inet proto tcp from any to 192.168.1.250 port = 9030 flags S/SA keep state label "USER_RULE: NAT server: tor"
      pass in quick on igb1 reply-to (igb1 85.24.188.1) inet proto udp from any to 192.168.1.250 port = 9030 keep state label "USER_RULE: NAT server: tor"
      pass in quick on igb1 reply-to (igb1 85.24.188.1) inet proto tcp from any to 192.168.1.100 port = 7887 flags S/SA keep state label "USER_RULE: NAT x79: i2p"
      pass in quick on igb1 reply-to (igb1 85.24.188.1) inet proto udp from any to 192.168.1.100 port = 7887 keep state label "USER_RULE: NAT x79: i2p"
      pass in quick on igb1 reply-to (igb1 85.24.188.1) inet proto tcp from any to 192.168.1.99 port = http flags S/SA keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View"
      pass in quick on igb0 inet from 192.168.1.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
      pass in quick on igb1 reply-to (igb1 85.24.188.1) inet proto tcp from any to 192.168.1.1 port = http flags S/SA keep state label "USER_RULE: NAT "
      pass in quick on igb1 reply-to (igb1 85.24.188.1) inet proto tcp from any to 192.168.1.99 port = http flags S/SA keep state label "USER_RULE: NAT h"
      pass in quick on igb1 reply-to (igb1 85.24.188.1) inet proto tcp from any to 192.168.1.99 port = https flags S/SA keep state label "USER_RULE: NAT h"
      anchor "tftp-proxy/*" all
      anchor "miniupnpd" all</bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c>

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.