Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    "Default deny rule" blocks incoming connections on OPT

    Scheduled Pinned Locked Moved Firewalling
    2 Posts 2 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      eherrera
      last edited by

      So, here is the whole thing. I'm trying to NAT the incoming connections on OPT:22 (WAN) to 192.168.1.101:22 on LAN side so i created the NAT rule this way:

      
Interface:       WAN2 (OPT1)
Protocol:        TCP

Destination.Type:   Single Host or Alias
Destination.Address: 10.10.10.100 (The IP address on WAN2)

Destination port [from]: SSH
Destination port [to]:     SSH

Redirect Target IP:   192.168.1.101

Redirect Target port: SSH

NAT reflection: Use system default

Filter rule association: Rule NAT

      Anyway, when i try to connect from a host on the WAN2 side i get this in the firewall log:

      Act Time If Source Destination Proto
      block Jun 6 21:41:46 WAN2 10.10.10.149:55208 10.10.10.100:22 TCP:S
      block Jun 6 21:41:47 WAN2 10.10.10.149:55208 10.10.10.100:22 TCP:S
      block Jun 6 21:41:48 WAN2 10.10.10.149:55208 10.10.10.100:22 TCP:S
      block Jun 6 21:41:50 WAN2 10.10.10.149:55208 10.10.10.100:22 TCP:S
      block Jun 6 21:41:51 WAN2 10.10.10.149:55208 10.10.10.100:22 TCP:S
      block Jun 6 21:41:52 WAN2 10.10.10.149:55208 10.10.10.100:22 TCP:S
      block Jun 6 21:41:54 WAN2 10.10.10.149:55208 10.10.10.100:22 TCP:S

      In all of them the debug information is the same:

      
The rule that triggered this action is:
@1 scrub in on le2 all fragment reassemble
@1 block drop in log all label "Default deny rule"

      So i decided to use a little brute force and create this floating rule:

      
Action:   Pass
Quick:    TRUE
Interface: LAN,WAN2
Direction: Any
Protocol: Any
Source: Any
Destination: Any

      The problem keeps going, i can't connect via SSH to 192.168.1.101 nor ping 10.10.10.100, or even access http (pfSense webConfiguration) on 10.10.10.100. The blocking reason is allways the same

      
The rule that triggered this action is:
@1 scrub in on le2 all fragment reassemble
@1 block drop in log all label "Default deny rule"

      I'm using pfSense 2.0.1 under VMWare and i can perfectly browse internet from 192.168.1.101

      What am i doing wrong?

      1 Reply Last reply Reply Quote 0
      • E
        Efonnes
        last edited by

        Something is wrong with your port forward, because you should be seeing 192.168.1.101 as the destination in the firewall log if it is logged, not 10.10.10.100.  Typically this means your rule does not match the connections.  Did you specify a source port?  If so, clear it.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.