Port forwarding problem

  • I wasn't sure if I should post this in the NAT or Firewall forum, so that's why it's here in general.

    I have a Ubuntu server behind my pfsense firewall that I need to ssh to from the outside. I have assigned the server a static internal IP, and I have forwarded port 22 to that IP, but it is not working. When I attempt to ssh to the wan IP on port 22 it hangs for a while then times out. I have also tried setting up a custom port 2222 for ssh but that is not working either, same problem. This is on pfSense 1.2.3. Maybe I have the port forwarding wrong?

    My pfSense lan IP is, and the Ubuntu server's IP is I made a NAT port forward to point incoming traffic on port 22 to port 22 on, and also made a NAT port forward pointing incoming traffic on port 2222 to port 22 on Both rules are in place at this exact moment, but I have tried having only one rule in place at a time (both ways).

    Any ideas?

  • LAYER 8 Global Moderator

    And have you tried it from the outside?  Sounds like your trying it from a box on the 10.1.2 network – that would be a nat reflection, or loopback forwarding.  For that to work you have to enable it.

    If your on the same lan as your ssh server, why not just hit the address directly - why are you hitting your pfsense wan IP just to be forwarded back in.

    Have some try it from the wan side of your network.  Also is your wan IP actually public IP, or is it behind a NAT as well.  Does your pfsense wan IP start with 10.x.x.x or 192.168.x.x or 172.16-31.x..x if so then your behind a double nat.  And for forwarding to work from the OUTSIDE you will need to make sure the device in front of pfsense doing nat is forwarding that port to your pfsense wan IP.

  • No, I am trying it from the wan. I have a ssh app on my phone, so I've been trying to ssh in from a 3G connection. I have also tried doing it tethering my laptop to my phone for internet. The actual owner of the server is currently overseas and also cannot access it.

    If I want to SSH to the server from within the lan, yeah, I just use, and that works fine. That's not the problem.

    Also, my wan IP is the public IP. I am using a block of static ip's from windstream. The modem/gateway is x.x.x.1 and the public IP for the pfsense box is x.x.x.2. Pardon the x's, but security, y'know? Publically, x.x.x.2 is the IP that's shown.

  • LAYER 8 Global Moderator

    And is your pfsense WAN IP NOT start with 10.x or 192.168.x.x or 172.16-31 – Quite often when users have issue with port forwarding its because they are behind a double nat and didn't know it.  Is your WAN IP an actual PUBLIC IP address?  Or is it behind some other NAT device.

    What does your pfsense plug into - what is the model number of the device pfsense is connected to?

    Port forwarding should take all of 2 seconds to setup.  Create the nat, and let it auto create the firewall wan rule for you - shazam forwarding is done.  Its not rocket science.  If your on a public IP on your pfsense wan, you have any host firewall running on your server that could be blocking traffic that is not coming from its lan network?

  • Ha, I edited my post to answer that question at the same time you posted.

    Anyway, yes, the only device between the pfsense box and the internet is windstream's equipment. We're on a T1.

  • LAYER 8 Global Moderator

    So then verify the traffic is hitting pfsense with a tcpdump or from the diag screen packet capture.  Then doing a sniff on the lan interface of the pfsense make sure its being sent to your server.

    So I access a ubuntu box behind my pfsense on, with public IP of 24.13.x.x

    So as you can see here are my nat and firewall lan rules that send 22 to my server on

    You can see my wan IP, and lan and wan interfaces in the pfsense screen.  Then doing a tcpdump on both my lan and wan interfaces you can see the traffic come in to 22 from public IP to my 24.13 public IP, and then it goes out on the lan interface from the public to my private IP on 22.

    And you can see the return traffic.

    First step in troubleshooting is make sure the traffic is hitting your firewall.  Maybe you have wrong IP, maybe your ISP blocks 22? etc..  You need to verify its hitting your pfsense wan, and then pfsense is sending it out.  You could then sniff on your server - is it seeing the traffic.  If it is seeing the traffic then there most be a host firewall on that server that not allowing it from that source IP.

    Another common mistake users make is putting something in that source PORT, like 22 when you have no idea what the source port of the traffic is going to be.  999/1000 times source port should be any in common rules.

  • It is my recollection that some SSH servers need to be configured to specify which IP addresses are allowed access.

    I suggest you check your SSH configuration. SSH log might record failed access attempts.

    As johnpoz suggested, tcpdump is a useful tool to verify your access attempt passes various points along its path.

    Have you reset firewall states after setting up your port forward? See Diagnostics -> States, click on Reset States tab.

  • Post your port forward and firewall rules.  Also… on the linux server... make sure it's actually listening on port 22... and that the software firewall is either off... or has 22 allowed.  I would turn it off for testing.

  • Here's my NAT rule

    Interface - WAN
    External address - any
    Protocol - TCP
    External port range - from: SSH   to:(other)
    NAT IP -
    Local port - SSH
    No XMLRPC Sync - Not Checked

    And my Firewall Rule

    Action - Pass
    Disabled - not checked
    Interface - WAN
    Protocol - TCP
    Source - "not" not checked   Type: Any   Address: Blank
     Advanced / Source port range - from: any   to: any
    Source OS - any
    Destination - "not" not checked
     Type: Single host or alias
    Destination port range - from: SSH   to: SSH
    Log - checked
    Advanced Options - all empty
    State type - keep state
    No XMLRPC Sync - not checked
    Schedule - none
    Gateway - default

    I deleted the rules regarding port 2222, since they weren't working anyway.

    I tried doing screenshots but the forum says my image files are too large and I don't wanna mess with that.

    To answer other questions - yes I have reset the states - And I also did a packet capture on port 22 while making an attempt to connect, and this was the result:

    11:00:28.624981 IP > x.x.x.2.22: tcp 0
    11:00:31.614608 IP > x.x.x.2.22: tcp 0
    11:00:37.626820 IP > x.x.x.2.22: tcp 0

    x's for privacy

  • Also worth mentioning, tcpdump isn't logging anything at all when I do "tcpdump port 22" and attempt to connect to the server. Just for testing's sake, I also enabled ssh on the pfsense box and established a connection to it from the LAN side, and ran the same command "tcpdump port 22" and it logged my connection to the pfsense box.

  • You can use a service like photobucket.com, which will export the html image code… allowing you to post screenshots.

  • Netgate Administrator

    You haven't told us the 'source address' and 'destination address' fields in your NAT rule. Only 'external address' which isn't one of the fields. Confusing!  ;)


  • LAYER 8 Global Moderator

    ^ exactly.  there is no external address field in nat, do you mean src is set to any.  Then what is your dst address in the nat, it should be wan address.  If you put in the IP address of your server then no it would never work.  Because the wan would never see traffic dest of your private IP address.  All traffic on your wan interface would be a dst of your wan address.

    Once your wan rule allows the traffic in, then the nat would nat and forward that traffic to where you want it to go.

    Nor did you list what the source port in your nat rule is set too in your above.  Just post a screen shot.. As to it being too large - what the hell are you using to take it with print screen, that is going to be a BMP file?  Use one of the 1000's of free tools out there to take your screen shot and save it in a format that makes sense, jpg, png, etc.  And they also allow you to reduce size and quality to make for very small size.

    Windows 7 has the built in snipping tool for example.

    By default your firewall wan rule should be autocreated when you setup the nat/forward.

  • @stephenw10:

    You haven't told us the 'source address' and 'destination address' fields in your NAT rule. Only 'external address' which isn't one of the fields. Confusing!  ;)


    I told you everything that's in the rule…

    Anyway, the problem with posting screenshots was that I was trying to post all of my screenshots in one post... thus why the forum was saying too large. Anyway, here's screenshots... broken up over multiple posts

    Attached here is my NAT settings

    ![SSH Rule NAT.jpg](/public/imported_attachments/1/SSH Rule NAT.jpg)
    ![SSH Rule NAT.jpg_thumb](/public/imported_attachments/1/SSH Rule NAT.jpg_thumb)
    ![NAT Rules.jpg](/public/imported_attachments/1/NAT Rules.jpg)
    ![NAT Rules.jpg_thumb](/public/imported_attachments/1/NAT Rules.jpg_thumb)

  • And firewall settings

    ![Firewall Rules.jpg](/public/imported_attachments/1/Firewall Rules.jpg)
    ![Firewall Rules.jpg_thumb](/public/imported_attachments/1/Firewall Rules.jpg_thumb)

  • Firewall rule page 1

    ![Firewall SSH Rule pt1.jpg](/public/imported_attachments/1/Firewall SSH Rule pt1.jpg)
    ![Firewall SSH Rule pt1.jpg_thumb](/public/imported_attachments/1/Firewall SSH Rule pt1.jpg_thumb)

  • Firewall rule page 2

    ![Firewall SSH Rule pt2.jpg](/public/imported_attachments/1/Firewall SSH Rule pt2.jpg)
    ![Firewall SSH Rule pt2.jpg_thumb](/public/imported_attachments/1/Firewall SSH Rule pt2.jpg_thumb)

  • Firewall rule page 3

    ![Firewall SSH Rule pt3.jpg](/public/imported_attachments/1/Firewall SSH Rule pt3.jpg)
    ![Firewall SSH Rule pt3.jpg_thumb](/public/imported_attachments/1/Firewall SSH Rule pt3.jpg_thumb)

  • LAYER 8 Global Moderator

    What version of of sense are you running?  I don't see interface on the nat rule

    It's on the edit page but not the rule listing.

    Are you using old 1.x line?

  • Netgate Administrator

    Hmm, looks like 1.2.3 or earlier. You should update when you have an opportunity to so safely.
    Anyway you should have 'external address' set to 'interface address'.


  • I'm using 1.2.3. I have a captive portal with user self registration, which is why the old version. There was a php script posted here on the forums by another user for user self registration that I am using (modified of coarse), but it does not work on 2.0+, just older versions of pfSense.

  • LAYER 8 Global Moderator

    Well couple things – again not seeing WAN as interface on the actual listing of the rules.  But only in your edit, did it get unselected somehow?

    Also is that other nat working? And I agree with stephenw10 the external should be set to WAN interface address not any.  Also your edit along with interface, but why would your external port be 22-any, you don't want to foward 23 to 22 do you.  Your dst is ssh-ssh so your external should match that ssh-ssh


    It actually has to do with the captive portal. I had to add to and from rules in the allowed IP addresses list. I already had added the server's MAC to the MAC Pass-Through list, and thought that was all I needed to do, but I was wrong. Now that I have added the IP address of the server to the "allowed IP addresses" list in Captive Portal section it is working as it should be.

    Thank you guys for helping me troubleshoot. :)  You all have been quite helpful!

Log in to reply