Port not open? Only filtered?

mogie · Oct 28, 2007, 3:29 AM

Runnin 1.2-RC2.
PPPoE configurated to ISP with dynamic IP.

I have lots of strange problems with my forwarding on NAT. All ports except port 80 and a custom SSH port (30), is neider responding or showing as an open port to the server. Have I missunderstood how the NAT works within pfSense? In short I get no results other than the ports used directly on the pfSense-server when I nmap-scan it (22 SSH,40 custom http,53 domain)

I allways get a "filtered" output from nmap when I try to scan the external IP on a spesific port. On my previous box (routermodem from ISP) i get to know what was open and not when I portscanned (a stupid risk to take, but I did it anyway). I assume there's a logic explaination to how the pfsense-box handles this?

I have a lot of services that wont or partly work through my NAT now. I've also read a lot of HOWTOs on everthing about forwarding where none has worked out.

As already told, only HTTP, SSH(30), and SMTP seems work. All others ports is not working. When sending mail from the server thorugh a PHP-form to my gmail for instance, i get the internal (LAN 10.0.0.138) IP-adresse on the mail-message, which should have been the external IP instead. 1200,27000-15,27030-39 is for CStrike.

I'm currently using Traffic shaper, DHCP server and Dynamic DNS service. All which I can't see have anything to do with the NAT-configuration.

My main priority is port 21. Though I've tried every HOWTO and read every doc on the pfsense.com and the wiki, there's no answer to it. The options for the FTP-helper does not make any difference to either interfaces. It should be simple to NAT all these ports..
Though, maybe some the bug lies here; In the rolling console above on the webGUI repeats this message after trying forwarding FTP 21: [Filter_Reload]# unresolable dest aliases NAT ftp active

Thank you all for helping me :)

cmb · Oct 28, 2007, 7:05 PM

Did you check "auto add firewall rule" when adding NAT? What do your WAN firewall rules look like?

cmb · Oct 28, 2007, 7:07 PM

also see: http://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

mogie · Oct 28, 2007, 8:55 PM

@cmb:

Did you check "auto add firewall rule" when adding NAT? What do your WAN firewall rules look like?

Absolutely! The rules are also perfect..
Belive me, It should work. Maybe it has to be some advanced setting what there are zero doc on something..

But again.
"php: : New alert found: # unresolvable dest aliases NAT ftp active" it says in the log."
How do I diagnose this message? At least to the FTP the the problem must be here!

mogie · Oct 28, 2007, 9:06 PM

I now see that the "rules" page only show TCP on all rules, though some of them uses UDP og both TCP/UDP.

I've changed this setting on the rules page, on hope of better results, but no…

cmb · Oct 28, 2007, 9:09 PM

@mogie:

"php: : New alert found: # unresolvable dest aliases NAT ftp active" it says in the log."
How do I diagnose this message? At least to the FTP the the problem must be here!

This looks like your problem. Can you pm me your entire config.xml copied from status.php?

mogie · Oct 29, 2007, 6:09 PM

@cmb:

@mogie:

"php: : New alert found: # unresolvable dest aliases NAT ftp active" it says in the log."
How do I diagnose this message? At least to the FTP the the problem must be here!

This looks like your problem. Can you pm me your entire config.xml copied from status.php?

I've send a PM with the .xml-file. I hope it was the whole XML-file you ment :) check your inbox

(I've replaced loginnames and passwd with mYpassword etc)

mogie · Oct 30, 2007, 1:46 PM

Do you find anything? :)

mogie · Nov 9, 2007, 11:44 AM

If anyone else want to help I got the XML-file here:

http://teamgule.net/config-pfsense.lan-20071029163349.xml

Thanks again for those helping! It is really appreciated!

cmb · Nov 1, 2007, 3:30 AM

just saw your pm today. I won't have time to look at it tonight, but maybe tomorrow, if not definitely this weekend.

mogie · Nov 3, 2007, 2:10 PM

is the PM really working? I haven't got any outbox mails after sending some…

mogie · Nov 9, 2007, 11:47 AM

Update: I've updated the link above if anyone want to look at it again: :)

http://teamgule.net/config-pfsense.lan-20071029163349.xml

mogie · Nov 9, 2007, 11:50 AM

I'm getting a new ISP this weekend I hope.. with static IP (eventually!!). They do not use PPPoE, maybe it may solve some problems :)

mogie · Nov 13, 2007, 5:54 PM

I've tried a new network layout now:

Modem w/firewall & NAT pfsense w/ or without NAT
LAN 192.168.1.1 –--------> 10.0.0.138 -----------> LAN
WAN 85.167.x.x

I have NATed all ports on the routermodem to the pfsense-box. Things is all the same. All NATs is working but not port FTP, Counter Striker, Passive FTP(2300-2400). It makes no difference in which services I'm running additionaly (DHCP, Traffic shaper etc) - in fact there's no logic in this not working in any way at all. Also tried to reset the pfsense box may times, restored the settings in different combinations, though the result is the same.
All of this SHOULD work, and I'm serious considering trying monowall instead, cause it has the same features that I'm looking for.

For the new ISP part, I'm still waiting - But like I said - the problem lies in the pfsense box software, not the connection to my ISP or WAN connection.

It makes no difference trying to disable the NAT on the pfsense router. Neither does a lot of other features like I've told.

Should I go back and try the pfSense 1.0 stable maybe? Thanks for all advices!

mogie · Nov 13, 2007, 9:31 PM

ok.. I've actually managed to get some connection on the FTP-port in active mode: but ONLY through a FTP-client program (LeechFTP). Not in passive mode of course..

WAN - Disable the userland FTP-Proxy application is [CHECKED]
LAN - Disable the userland FTP-Proxy application [NOT CHECKED]

As I mentioned; I have the firewall and the first forward at the routermodem (192.168.1.1) . And therefor all connection rules on the pfsense-box is allowed (both to WAN and LAN).
I have NAT'ed these ports:

If Proto Ext. port range NAT IP Int. port range Description

WAN TCP 21 (FTP) 10.0.0.4(ext.: any) 21 (FTP)
WAN TCP 80 (HTTP) 10.0.0.4(ext.: any) 80 (HTTP)

Why is it not possible to browse through the FTP-server with a webbrowser like I used before (without the pfsensebox between), but only though the client?

I've compared carefully two outputs with LeechFTP - both servers running Pure-FTPD, one connection to my server, and one an outside server. I get the exact same outputs. So I need to know how the browsers get the FTP-connection. Is it allways thorugh passive connection?

mogie · Nov 13, 2007, 10:10 PM

I now got the Passive FTP to work at first try though the LeechFTP… dammit!

Still, using browser is hopeless. If anyone can see anything useful here, please let me know:

proxy    331  0.0  0.2   704   452  ??  Ss    9:02PM   0:00.16 /usr/local/sbin/pftpx -c 8021 -g 8021 10.0.0.138

mogie · Nov 16, 2007, 1:06 AM

My prevoius reply about FTP only working through LeechFTP was wrong. It was because I testet it with NAT reflection to my IP-adresse, and thats why it worked in that case only. I've testet it from an other public IP, fininding the same result all over:

Through SSH from an outside IP-adresse i get:

500 This security scheme is not implemented

And with an online FTP-client i get the 500 error too:
http://www.g6ftpserver.com/en/ftptest

* About to connect() to mydomain.net port 21
* Trying 85.167.x.x... connected
* Connected to mydomain.net (85.167.x.x) port 21
< 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 
< 220-You are user number 2 of 10 allowed. 
< 220-Local time is now 02:09\. Server port: 21\. 
< 220 You will be disconnected after 15 minutes of inactivity. 

> USER anonymous 
< 230 Anonymous user logged in 

> PWD 
< 257 "/" is your current location 
* Entry path is '/'

> CLNT Testing from http://www.g6ftpserver.com/ftptest from IP 85.167.x.x 
< 500 Unknown command 
* QUOT command failed with 500
* Connection #0 to host mydomain.net left intact

* Closing connection #0

cmb · Nov 16, 2007, 5:32 AM

Finally getting a chance to look at this closer. What is the problem at this point? Sounds like things have changed since earlier?

mogie · Nov 22, 2007, 9:36 PM

I've been testing m0n0wall instead, with some luck, and some lack of features compared to pfsense.
The NAT reflection feature is not supported in m0n0wall, so I'll need to foreward manually thorugh DNS forwarding. Anyways, I'll be able to fix this if I can get to ports to finally work some time in my existing life ..

Using m0n0wall:
Compared to pfsense, finally, the CStrike Server is visible from the outside with m0n0wall.
Though the FTP-problems are still the same as on the pfSense-box.
I'm able to connect the server in some way and almost get a response (see previous post)

In short.. I've tried every single combination of settings that I could ever think of in order to get the NAT working properly. Believe me! I've tried booth setting up double NAT, and bridge the modem to the pfsense/m0n0wall-box and then connect using PPPoE. The only thing I see now, is that there's something terrible wrong with the software I must be using… or that there's some mysterious blocking at the modem when it is in brigdemodus.. (not logical at all!)

Anyways. The problem still lies in the XML-file that I've deployed for pfSense. (if it does have a problem at all) Look at my previous post to download it.

I've been testing from remote FTP-clients to my network for this.

mogie · Nov 23, 2007, 12:35 AM

UPDATE:

I've managed a double NAT in active ftp in some way..
I've set the "ForcePassiveIP" parameter in pure-ftpd to the external address outside the network the server is on (192.168.1.1) in order to get passive on m0n0wall working. I've now tried to set up the pfsense too, and it seems to have payed off! :) Passive FTP is working trough the pfSense box now, I'm going to troubleshoot the passive connection in the meantime..

I've testet trough SSH on an external server

server <–-----------> pfsense/m0n0wall <-------------------------> routermodem (PPPoE)
10.0.0.4 10.0.0.138/192.168.1.1 85.167.x.x

Like I said, this is with double NAT. I have no idea why the bridge on the modem, and the PPPoE on the pfSense didnt work. Neither how the ForcePassiveIP parameter affected the active FTP-connection with the server..

Though, it do not work through the simple external FTP-tester I've been using a lot, including the SSH ofcourse.
http://www.g6ftpserver.com/en/ftptest

To others experiencing the same issue:
Configure passive connection on your FTP-server and force the passive IP to the external IP from the network your in. (above)

Though again. This configuration may be trouble for my CStrike connection. I will need to test out that too..