Port forwarding problems
-
These are my very simple port forwarding rules and firewall rules in pfsense:
So there are, all in all, 9 entries that SHOULD work as set. Let's name these entries entry1 to entry9. For each entry, this is a brief description of their redirection IP/ports and the problems I'm encountering:
entry1 - pfsense webgui; no problems in accessing from outside this network
entry2 - WAN2 modem webgui; no problems in accessing from outside this network
entry3 - WAN3 modem webgui; CANNOT ACCESS from outside this network
entry4 - webgui of wifi router (set to switch mode) connected to LAN side of pfsense; CANNOT ACCESS from outside this network
entry5 - webgui of router (set to router mode) connected in between pfsense and WAN3 modem; CANNOT ACCESS from outside this network
entry6 - N8800 media server webgui; no problems in accessing from outside this network
entry7 - N8800 webdisk webgui; no problems in accessing from outside this network
entry8 - Kevin's Laptop sabnzbd webgui; CANNOT ACCESS from outside this network
entry9 - Alvin's Desktop sabnzbd webgui; CANNOT ACCESS from outside this networkBy the way, I have two WAN interfaces and one LAN interface. The two WANs are named WAN2 and WAN3 while the LAN is named LAN. All the IPs I've explained above are accessible from the LAN side and I have no problems with that. But from outside this network (from another computer connected to another ISP), why can't I access entry3, 4, 5, 8, and 9? I'm out of ideas now because as I understand port forwarding these rules are correct. But of course there is obviously something wrong here. Can you guys help me?
Thank you very much :)
-
BUMP! Anybody?
-
Source port?
-
Source port?
What do you mean? Do you mean I should specify the source ports for each Firewall rule? Those firewall rules were automatically made by pfsense when I did each port forward.
Shouldn't an asterisk mean it will listen to all the ports?
-
Not in the rules, but in NAT.
Kostas
-
Not in the rules, but in NAT.
Kostas
I tried doing it in the NAT and it was also reflected in the rules.
I tried putting a source port of 21001 in entry1 (which was working before doing this) and now it doesn't work. I then tried to put a source port of 8082 in entry9 and it still doesn't work.
-
Don't have access in the firewall right now, but I his topic http://forum.pfsense.org/index.php/topic,48866.msg258669.html#msg258669
there is an image of working NAT setup.
Best
Kostas
-
Don't have access in the firewall right now, but I his topic http://forum.pfsense.org/index.php/topic,48866.msg258669.html#msg258669
there is an image of working NAT setup.
Best
Kostas
Thanks, I'll analyze that.
-
I just tried analyzing the setup in the link you've posted but I'm not sure if it is applicable in my case. Anyone else have any ideas on this?
-
BUMP!
-
Help needed here guys? Please?
-
BUMP!
-
Daily BUMP!
Is this a hard-to-solve issue, really?
-
Packet capture traffic on the firewall for a host you can not access externally. Get a friend on the phone and ask them to try. Analyse the capture. Best guess the traffic hits the target but the target does not know where to send it back.
Also I have a feeling Sab has a setting in the ini file that tells it what networks it will talk to. That might be worth a look just to make sure it's not restricted to the local net.
edit/
No it doesn't I've just looked but it's default bind is the loopback so make sure it is bound to the IP of the box. Also I hope the port you are trying to redirect to is the https port of Sab and not the http.
-
Have an nearly-same problem,
I got two WAN´s, too, but i can only access the LanPC which are on the Default-WAN.
The problem is that the packet from the secondary WAN comes in and dont find out (because it goes over the Default-WAN).
-
Packet capture traffic on the firewall for a host you can not access externally. Get a friend on the phone and ask them to try. Analyse the capture. Best guess the traffic hits the target but the target does not know where to send it back.
Also I have a feeling Sab has a setting in the ini file that tells it what networks it will talk to. That might be worth a look just to make sure it's not restricted to the local net.
How do you actually do a packet capture on the firewall?
As I've probably mentioned above, I've already tried using SAB with a computer that's only connected to a simple DD-WRT router and I can access it from outside the network without any problems. When I bring this same computer and connect it to the network with pfsense as the main firewall, then I cannot access it from outside the network.
-
Under diagnostics -> Packet Capture
Select the LAN interface Set the host address to the IP address of the internal device you are trying to connect to Set the level of detail to full, leave all others at their default. Then get someone outside the network to attempt a connection. Don't try to use NAT reflection as that will confuse things. If you look at the capture and your response is WTF post it and we can take a look.
-
Here it goes (I'm trying to access 192.168.1.2 from outside the network and it did captured some packets. I replaced the source IP address with x.x.x.x):
Any thoughts?
-
Well I see incoming traffic for 192.168.1.2 but I'm not seeing an outgoing response.
Off the top of my head it's a routing issue. Is the LAN interface the default route? Try doing a traceroute from the device 192.168.1.2 and see where it thinks the packet should go.
-
Did you defined static routes or is there a second router in your network which reaches the other lan networks? What is the client default gateway? Could you ping all the clients defined from the pfsense "ping tool"?
-
Well I see incoming traffic for 192.168.1.2 but I'm not seeing an outgoing response.
Off the top of my head it's a routing issue. Is the LAN interface the default route? Try doing a traceroute from the device 192.168.1.2 and see where it thinks the packet should go.So that means that the port forwarding works, right?
The default gateway is WAN2 as set by pfsense. From the device 192.168.1.2, which IP should I do a traceroute to? By the way, 192.168.1.2 is a switch (switch-configured linksys router) that has a webgui.
Did you defined static routes or is there a second router in your network which reaches the other lan networks? What is the client default gateway? Could you ping all the clients defined from the pfsense "ping tool"?
My setup is like this:
The default gateway is WAN2. If I setup the interface as LAN in the ping tool of pfsense, yes I can ping all the clients.
-
If you know the address of the person trying to connect try that IP. Otherwise just do a traceroute to something like www.bbc.co.uk or your local google site. Also take a look at your firewall logs just to make sure it's not blocking outgoing traffic.
I'm assuming the switch is just a standard layer 2 device with no acls or VLANs defined on it but if it has and it won't do a traceroute outside your network maybe post the running conf although that is getting beyond the scope of these forums but we do try to help.
Yes your port forward appears to be working correctly.
-
If you know the address of the person trying to connect try that IP. Otherwise just do a traceroute to something like www.bbc.co.uk or your local google site. Also take a look at your firewall logs just to make sure it's not blocking outgoing traffic.
I'm assuming the switch is just a standard layer 2 device with no acls or VLANs defined on it but if it has and it won't do a traceroute outside your network maybe post the running conf although that is getting beyond the scope of these forums but we do try to help.
Yes your port forward appears to be working correctly.
Ok. Should I copy here the result of the traceroute and my firewall logs?
Yes, the switch is a standard non-managed switch, so no worries on that.
When port forwarding, do you usually specify the source port? Which port would the source use anyway when accessing my devices from outside the network?
-
It will be a random port for the source. Yes you can post the traceroute just obscure the IP if it's not to a public server.
-
It will be a random port for the source. Yes you can post the traceroute just obscure the IP if it's not to a public server.
Ok, I'll do that.
Why will it be a random port? I thought the source port is also, usually, the destination port?
-
I thought the source port is also, usually, the destination port?
No. Almost never.
-
@cmb:
I thought the source port is also, usually, the destination port?
No. Almost never.
So it's always random?
-
So it's always random?
Short answer yes.
Long answer. It is possible to force the use of a specific port or range but unless you understand the full implications of making such changes it's probable safer to just accept the short answer.I'd like to see your issue resolved so any info you could post would help. There is nothing worse than finding a forum post that resembles your problem and after reading through them all finding it just stops with no resolution.
-
So it's always random?
Short answer yes.
Long answer. It is possible to force the use of a specific port or range but unless you understand the full implications of making such changes it's probable safer to just accept the short answer.I'd like to see your issue resolved so any info you could post would help. There is nothing worse than finding a forum post that resembles your problem and after reading through them all finding it just stops with no resolution.
Ok.
Oh no, it won't stop with no answer. I will post the results of the traceroute in a while. I'm actually not inside the firewall network for a few days now and I just remotely access it which is why I didn't post sooner. I will do this now and post back.
-
I just tried doing a traceroute from 192.168.1.2 and there were no results. I guess because it's setup as a transparent switch? It's actually setup as a "DHCP Forwarder".
-
No a DHCP forwarder is simple a setting to forwarding bootp traffic from a subnet with no DHCP server to a DHCP server in a different subnet. It's required because bootp does not route across subnets.
Are you running the trace from the command line on the switch. My memory of the HP command set is a little rusty as we are a cisco shop these days but it should be something like
ip unreachables enable
ip ttl-expires enable
tracert 91.220.52.1That should trace through to one of our BGP routers.
perhaps as a check before you try the traceroute from the cli run show running config you should then be able to identify the default gateway is correctly set to the pfsense box.
I'm trying to second guess the issue here so I'd also be checking that the DHCP server is giving out the correct default gateway to the other boxes having an problem.
-
No a DHCP forwarder is simple a setting to forwarding bootp traffic from a subnet with no DHCP server to a DHCP server in a different subnet. It's required because bootp does not route across subnets.
Are you running the trace from the command line on the switch. My memory of the HP command set is a little rusty as we are a cisco shop these days but it should be something like
ip unreachables enable
ip ttl-expires enable
tracert 91.220.52.1That should trace through to one of our BGP routers.
perhaps as a check before you try the traceroute from the cli run show running config you should then be able to identify the default gateway is correctly set to the pfsense box.
I'm trying to second guess the issue here so I'd also be checking that the DHCP server is giving out the correct default gateway to the other boxes having an problem.Ok. Well, that switch device is running dd-wrt and it is connected to pfsense via its LAN ports. I have another dd-wrt router in another house and I can issue traceroute command in its command line using the syntax "traceroute HOST" and it will return me results because that other router is working really as a router where a modem is connected to its WAN port.
The show running config command is not a valid command for dd-wrt.
-
Here's a screenshot of the main settings of the dd-wrt switch:
I think I know the problem. The gateway and local dns are not specified which is why it cannot respond to outside requests?
But this switch is accessible via the LAN side of pfsense.
-
I specified 192.168.1.1 for both Gateway and Local DNS and IT WORKED! So this NAT entry is solved.
How about the others?
-
lol you want your monies worth ;)
Again I'm going to guess it's a routing issue. What's the OS of the boxes running Sab?
-
lol you want your monies worth ;)
Again I'm going to guess it's a routing issue. What's the OS of the boxes running Sab?
Lol, sorry about that.
Nope, I already solved the SAB problems. I'm pertaining now to entry numbers 3 and 5.
-
Sorry I thought I'd already posted what I thought was wrong with the setup to cause 3 and 5
The packet arriving at the 192.168.103.3 interface has the originating IP address of the request ie the computer on the internet. So it responds back but because it's default route is via wan3 the reply goes back to the sender with a different public IP than the one the request was sent to and the remote PC rejects it because it is not expecting a response from that host.
Can't see a fix for it as the default route for wan3 must be out so all I can suggest is that you move the NAT over to the wan3 IP and come in that way.
-
Sorry I thought I'd already posted what I thought was wrong with the setup to cause 3 and 5
The packet arriving at the 192.168.103.3 interface has the originating IP address of the request ie the computer on the internet. So it responds back but because it's default route is via wan3 the reply goes back to the sender with a different public IP than the one the request was sent to and the remote PC rejects it because it is not expecting a response from that host.
Can't see a fix for it as the default route for wan3 must be out so all I can suggest is that you move the NAT over to the wan3 IP and come in that way.Ah. How do you move the NAT over to the wan3 IP?
-
BUMP!
-
Does it have a fixed IP or is it dynamic?