[Solved] Port forward problem - in but not out

  • So I have in the past made port forward work with pfsense, but am not having any luck tonight.  Here is hoping someone has got the answer.

    Problem: I would like to forward port 22 traffic through to a machine in my DMZ interface.

    -I have an OpenVPN tunnel as another interface (not WAN), however WAN is the default gateway.
    -I have attached clips of my NAT rules, WAN firewall rules, and select fw logs.  I setup what I believe are the correct Nat/FW rules, but still no luck.

    T/S so far:
    -Using ssh from a AWS instance to test the connection.
    -I see from the logs traffic appears to be passing through but blocked on the return where it is routed to the wrong interface (StrongVPN). 
    -Verified packet flow with tcpdump on the pfsense DMZ interface and the DMZ host machine. I see packets flowing from the internet through the firewall WAN to the host, but the response TCP:SA are blocked outbound??
    -Created a DMZ firewall rule routing port 22 traffic through the WAN gateway even though it is the default gateway, no change.

    I would appreciate any assistance, let me know if there are any questions I can answer, thanks.

    ![NAT rule.jpg](/public/imported_attachments/1/NAT rule.jpg)
    ![NAT rule.jpg_thumb](/public/imported_attachments/1/NAT rule.jpg_thumb)
    ![FW Rule.jpg](/public/imported_attachments/1/FW Rule.jpg)
    ![FW Rule.jpg_thumb](/public/imported_attachments/1/FW Rule.jpg_thumb)
    ![FW Log.jpg](/public/imported_attachments/1/FW Log.jpg)
    ![FW Log.jpg_thumb](/public/imported_attachments/1/FW Log.jpg_thumb)

  • Hi joelmale,

    Can you post your pfSense routing table (Diagnostics -> Routes)?

    Edit: Most likely, it could be that you are experiencing the same problem as described in this thread: https://forum.pfsense.org/index.php?topic=80086.0

  • Ok thanks for the cross link, I did a little more troubleshooting, but I'm not quite there yet.

    I added the route-nopull option but did not see a change.  However I did have the "redirect-gateway def1" option, so removing that but keeping the "route-nopull" option on she works like a charm!  I took some before and after shots of my routes table to see what was being pushed and its effect.  I guess I'll bone up on my understanding of routing.

    Thanks for the help.  This is my first post do I log it solved or closed?  Not sure on the SOP here…

  • Sometimes topic owners edits the subject (or a moderator does it), and adds [Solved] to the beginning, but I don't think it's a written rule that says you must do so.

Log in to reply