2.1: NAT port forwarding problems (am i dumb or what?!)



  • First I must admit, I am using pfsense only for a week or so. So… I am a pfsense-noob (used m0n0wall before). Second I managed to get up my internet connection with my Huawei E372 3G-UMTS stick and pfsense 2.1 beta (2.0.1 and 2.0.2 did not properly work with my E372).

    Now, having a working internet connection, BUT I have trouble getting up NAT for my gtk-gnutella client. Of course I read http://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense%3F and http://doc.pfsense.org/index.php/Port_Forward_Troubleshooting . Also I tried out differen NAT-reflection settings. But no luck yet...  ???

    setup on my linux box:

    route -n

    Kernel IP Routentabelle
    Ziel            Router          Genmask        Flags Metric Ref    Use Iface
    0.0.0.0        192.168.2.1    0.0.0.0        UG    2      0        0 eth0
    127.0.0.0      127.0.0.1      255.0.0.0      UG    0      0        0 lo
    192.168.2.0    0.0.0.0        255.255.255.0  U    2      0        0 eth0

    IP of my pfsense box is 192.168.2.1
    IP of my linux box is 192.168.2.2 (static setup)
    gtk-gnutella is running on my 192.168.2.2 host on port 11201

    I created an alias "yea" for my 192.168.2.2 and used the following (wrong?) NAT Port Forward & automatically created firewall rule according to my uploaded picture:
    If         Proto        Src. addr Src. ports Dest. addr Dest. ports NAT IP NAT Ports Description
    WAN   TCP/UDP *             *                 WAN address 11201 yea 11201 gtk-gnutella

    Still, when I run gtk-gnutella I am firewalled. Port 11201 is not reachable from the outside (http://porttest.net/). What am I misunderstanding here?



  • There are a few details missing here:

    1. Is your 3G stick your pfSense WAN interface?
    2. Does your pfSense WAN interface have a public IP address?
    3. Does your ISP allow "servers" to run over a 3G link?
    (My wireless broadband ISP assigns clients private IP addresses hence its is possible for the clients to connect to hosts on the public internet but it is not possible for hosts on the internet to connect back to wireless clients. )

    @_mandark_:

    Still, when I run gtk-gnutella I am firewalled. Port 11201 is not reachable from the outside (http://porttest.net/). What am I misunderstanding here?

    Where do you run gtk-gnutella? Presumably on the Linux system you mentioned. You can't really test pfSense port forwarding from such a system
    because the connect from such a system won't arrive on the pfSense WAN interface and hence the port forward rule won't apply.

    Assuming you are not blocked by anything previously mentioned, you might also need a firewall rule on the WAN interface to allow port 11201. I can't recall if such rules are automatically generated  or optionally generated with port forward rules. (On my system I see in the firewall rules on the WAN interface rules corresponding to the port forwards I had setup on the WAN interface.)



  • @wallabybob:

    (My wireless broadband ISP assigns clients private IP addresses hence its is possible for the clients to connect to hosts on the public internet but it is not possible for hosts on the internet to connect back to wireless clients. )

    That would be my guess. Only specially configured, additional cost, business class 3G/4G connections actually get a real public IP these days. Your typical 3G/4G connection is going to be behind CGNAT, in which case it's impossible to open ports inbound from the Internet.



  • @wallabybob:

    There are a few details missing here:

    1. Is your 3G stick your pfSense WAN interface?
    2. Does your pfSense WAN interface have a public IP address?
    3. Does your ISP allow "servers" to run over a 3G link?
    (My wireless broadband ISP assigns clients private IP addresses hence its is possible for the clients to connect to hosts on the public internet but it is not possible for hosts on the internet to connect back to wireless clients. )

    1. Yes
    2. Ahm, don't know… WAN shows up as "10.74.252.106" (see screenshot)
    3. Well... that would be really bad!!  :o I'll have a look in local (Austrian) UMTS forums, or ask the provider. It's www.drei.at

    @wallabybob:

    Where do you run gtk-gnutella? Presumably on the Linux system you mentioned. You can't really test pfSense port forwarding from such a system
    because the connect from such a system won't arrive on the pfSense WAN interface and hence the port forward rule won't apply.

    Assuming you are not blocked by anything previously mentioned, you might also need a firewall rule on the WAN interface to allow port 11201. I can't recall if such rules are automatically generated  or optionally generated with port forward rules. (On my system I see in the firewall rules on the WAN interface rules corresponding to the port forwards I had setup on the WAN interface.)

    Yes, gnutella is running on my 192.168.2.2 linux box "yea". It has some sort of 'self-test' to check if it's beiing firewalled or not. Port Forwarding was working on the same box with my old provider (tele2.at via PPPoE) and m0n0wall. But I also used http://porttest.net/ for checking if 11201 is open. Suppose this is the correct way for checking from the outside?

    A firewall rule is automatically created in pfsense 2.1 with port 11201 and "pass".




  • @_mandark_:

    2. Ahm, don't know… WAN shows up as "10.74.252.106" (see screenshot)

    You have a private IP address. Systems on the internet won't know how to get to that address, hence you can't run a server in that configuration.



  • Thanks for your help wallabybob and cmb!

    Your were right, IP was private. Luckily, for my current provider (www.drei.at) it is possivly to change from a private to a public IP just by setting this in your account options online. Interestingly "Open Internet" ist set to OFF as default… Found this information after browsing some local UMTS forums.

    Now the NAT and firewall rule work as expected.


Locked