Port Forward IS NOT Working on pfsense 2.1



  • I am going nuts over this issue. I decided to deploy a pfsense box on our network a couple of weeks ago because we now have 1Gbps fiber and our commercial router just wouldn't pass data through the firewall fast enough. But, now I look like a jackhole to my employer because I CAN NOT get this machine to forward ports.

    PLEASE, don't link me to the how to forward ports thread. I have been researching and trying everything on the forums, and YouTube videos. I have reinstalled pfsense three times. I am at my witt's end.  According to the forum posts and how to videos I am doing everything correctly, but the firewall WILL NOT let anything pass.

    I am using x64 pfsense 2.1 with a socket 775 Core2Duo.
    The onboard Realtek LAN is my WAN port. RE1
    And I have a PCIe Realtek LAN card as my LAN connection. RE0

    If anyone can think of anything, please send it my way.

    Thanks,
    Mitch


  • Banned

    Hi Mitch. Let me have a look. Send me a PM for details. I am CET timezone so on my way to bed. will be available in about 8 hrs.


  • Rebel Alliance Global Moderator

    Wits end, so how about some details– so you have sniffed and the packets hit your wan interface of pfsense?  And pfsense just don't forward..

    Forwarding on pfsense should be click click - so it takes all of 30 seconds to actually verify that traffic is hitting your wan that you should forward.  Have you don't this - then where is this info so we can help you?

    From your post, what do you want to help other than pointing you to the how to troubleshoot port forwarding?
    https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

    So can you show the packets hitting pfsense but not going out the lan interface?  And your rules?



  • I have no idea why. This makes absolutely no since to me whatsoever.
    But, I bought an Intel Dual NIC and disabled the onboard Realtek, and
    repurposed the Realtek PCIe card that I had. Reinstalled pfsense, and
    my ports forwarded the very first time I tried it.

    Thanks for offering to help you two, but I didn't see your posts until now.
    I am baffled as to why this worked. Because both NICs were working
    fine, there is no reason pfsense, or FreeBSD, should see these any differently.

    Part of me wants to put the Realtek card back in and re-enable the
    onboard just to see if it would still be working. But, after messing with
    this thing for so long, I'm not going to risk loosing my progress.

    Thanks Guys,
    Mitch



  • @johnpoz:

    From your post, what do you want to help other than pointing you to the how to troubleshoot port forwarding?
    https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

    Add #15 to that Common Problems list for Port Forward Troubleshooting

    15.  If you are using Realtek NICs, ditch them and get Intel.

    ::)



  • Ehmmm, I have a similar problem on nat 1:1

    My dmz mail server seems to get nated outside but not inside
    Take a look to these packet captures of an connection attempt to google:

    ON DSL interface:
    16:42:21.236894 IP XX.YY.ZZZ.245.1634 > 173.194.35.23.80: tcp 0
    16:42:21.267025 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1634: tcp 0
    16:42:21.487296 IP XX.YY.ZZZ.245.1635 > 173.194.35.23.80: tcp 0
    16:42:21.517592 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1635: tcp 0
    16:42:21.588509 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1634: tcp 0
    16:42:21.828523 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1635: tcp 0
    16:42:22.188522 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1634: tcp 0
    16:42:22.428460 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1635: tcp 0
    16:42:23.388629 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1634: tcp 0
    16:42:23.628438 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1635: tcp 0
    16:42:24.213257 IP XX.YY.ZZZ.245.1634 > 173.194.35.23.80: tcp 0
    16:42:24.242951 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1634: tcp 0
    16:42:24.414444 IP XX.YY.ZZZ.245.1635 > 173.194.35.23.80: tcp 0
    16:42:24.443562 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1635: tcp 0
    16:42:25.790529 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1634: tcp 0
    16:42:26.028500 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1635: tcp 0
    16:42:29.884252 IP XX.YY.ZZZ.245.1636 > 173.194.35.23.80: tcp 0
    16:42:29.914162 IP 173.194.35.23.80 > XX.YY.ZZZ.245.1636: tcp 0

    ON DMZ interface
    16:43:24.180029 IP 10.6.107.2.1645 > 173.194.35.23.80: tcp 0
    16:43:24.265809 IP 10.6.107.2.1646 > 173.194.35.23.80: tcp 0
    16:43:24.430940 IP 10.6.107.2.1647 > 173.194.35.23.80: tcp 0
    16:43:24.475723 IP 10.6.107.2.1648 > 173.194.35.23.80: tcp 0
    16:43:24.518007 IP 10.6.107.2.1649 > 173.194.35.23.80: tcp 0
    16:43:27.180431 IP 10.6.107.2.1645 > 173.194.35.23.80: tcp 0
    16:43:27.281005 IP 10.6.107.2.1646 > 173.194.35.23.80: tcp 0
    16:43:27.381596 IP 10.6.107.2.1647 > 173.194.35.23.80: tcp 0
    16:43:27.482185 IP 10.6.107.2.1648 > 173.194.35.23.80: tcp 0
    16:43:27.482214 IP 10.6.107.2.1649 > 173.194.35.23.80: tcp 0

    10.6.107.2 is Mailserver IP in DMZ
    XX.YY.ZZZ.245 is virtual public IP (nated) on DSL interface
    173.194.35.23 is google