SOLVED: Simple NAT portforwarding is totally blocked!

  • I've been testing for many hours now, and the NAT is compleetly hopeless..
    The server I'm trying to NAT against is

    All connections fra LAN-> WAN work perfectly, at least what I've tested yet. I ran nmap portscanner to my own WAN address and I only find port open to the pfSense-server (SSH, domain, etc.)
    I can't see why these configuration has to be wrong?

    thanks for all support!

  • Your firewall rule on the WAN is all wrong. If you leave the box checked to auto-create the firewall rule when creating the port-forward, it will save you lots of trouble.
    The source address and port for the http should be *, and there is no rule for the ssh. I'm assuming you changed the listen port for ssh to 30 for some reason, but ssh is tcp, so don't forward tcp/udp.

  • My previous post was a bit messed up. I've corrected it, but it still won't work..

    See my attachment below:
    (i know how noobish it is to make prntscr,
    but I want to assure myself that I'm doing everything precisely since I've been wasting lots of time on this..)

    I've also portscanned my external IP again (not smart, I know..) but it only finds the same ports like bfore; the once used in the pfSense server:
    21/tcp  open  ftp
    22/tcp  open  ssh
    53/tcp  open  domain
    444/tcp open  "snpp" (I've changed my 443 https to 444)

  • That rule looks better. I can see a website for on that address. (Assuming that was the real ip) Apache 2 on Ubuntu sound like the correct box? So- either it is now working, or that wasn't really the IP?

  • I suppose i can't see it myself then from my LAN… thanks!

    Yes the server has many domains. Primary 
    Do you get up the whole site with ""? Or do you just find the server spesifications? :)

    Edit. I got it confirmed by a friend too! thanks ;)

    btw: Does all traffic from WAN gets blocked unless I set a "block all" rule on the firewall? I will only accept connections through some specific ports(like web, Cstrike, ftp etc..). Do I need to set up a such block?

  • If you want to be able to use a NAT-forwarding from within your LAN you need to activate NAT-reflection (system–> advanced)

    Rules are processed from top to down.
    If a rule catches the rest of the rules is no longer considered.
    Per default a "block all" rule is always in place (invisible below your own rules).

  • MAN! You have noe idea of my relief now :D Thank you so much! It would been a hard time working without being able to check my own domains. ;) It would have taken me even more time to find that option, especially for a noob like me :)

    Thank your really much! All of you ! ;)

  • Though… i can't get port 21 to work. why is that?

    I see the port is already in use by pfSense as default. How do I disable this?

  • Since ftp is a really NAT unfriendly protocoll, pfsense uses ftpsesame as a ftp-proxy

    You can disable it with setting the "disable ftp helper" on each interface-config page.
    search the forum about this.
    there are !many! threads about this.

  • crazy thing… but it wont work.

    I've tried all the methods in the

    I've also tried lots of different advises on the forum for FTP-theads. though i do not get it working, not even on active FTP.
    The only thing I haven't tried is to delete all NAT configurations and rewrite them. I've only deleted and set the FTP-port over again after changing the FTP-helper option on WAN.

    Now , i do not use LoadBalance. Only Trafficshaper, and NAT. I don't see why this could be the problem..

    The package you're reffering to... installing it, will it fix this problem anyways`? I've never done a installation in OpenBSD, so after tar xfvz etc. the file I've no clue what to do..

    Thanks for helping!

  • You dont need to install it ^^"
    It's already installed.
    That's why port 21 shows as open :)

  • ok then..  ???

    any foolproof method to fix the FTP entry one last time anyone? :)

Log in to reply