My firewall log shows my external IP, not the LAN destination?

  • Hi!
    I'm playing with my pfSense, but when I watch the firewall log, I can't see the local IP at the inside of the LAN there the packets are trying to go to.
    The IP-adresses at "destination" is my external IP, not the local IP of the computer they are trying to connect to.

    How do I solve this?

    I've a picture attached.

  • The firewall log will never show the actual destination.
    It will only display what the destination of the packet it blocked was.

    I guess what you are looking for is the state-table (Diagnostics –> States).
    However in the state-table you only see active states --> traffic which is allowed and thus wont show up as blocked in the firewall log.

  • Well..
    I'm trying to find out which ports my IP-telephone is using.. For some years ago I did know that, and it works. But now I don't remember the ports, and it does not work. I've tried to set up a NAT rule with port range 2-65535 TCP/UDP, but it didn't work either.

  • Where is your IP-telefone in your setup?
    You could look at a framecapture on the network where your telephone is and see in the frames directly which port it's using.

  • Hi!
    My setup (I hope you can understand this painting.)
    And I'm sorry, I don't understand what you are meaning with "framecapture"?

  • With packetcapture i was refering to wireshark or tcpdump (which is available already in the gui of pfSense).

    Just enable the packetcapture on the interface on which your IPphones are, capture for a while and then look at the frame-capture.
    You should see the frames from your phones and see where/to/from they communicated.

  • Alternatively, you could search for documentation/user manual using the IP phone model number as your query. Also, if you know the IP of the device and want to do a direct port scan…use nmap or Zenmap (nmap with GUI) to directly scan the device for open ports. Don't most IP phones have http config interfaces these days?

  • Your logs make sense because you haven't forwarded any ports in the NAT - so it'll never give the local IP because you aren't forwarding them. From the outside a packet only knows your external IP, when it arrives at your firewall, it is up to your firewall to decide where it goes. If the connection was initiated from outside the network, then your firewall will look at your NAT, if there's nothing there then firewall thinks the packet is meant for itself (your public IP).

    The best way to find out the ports you need, is to use something to monitor connection attempts. works really well. If you have windows 7 you can go to task manager > performance > resource monitor > network and look at listening to see what services are listening on what ports.

Log in to reply