Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall blocks port that is allowed in the rules list

    Scheduled Pinned Locked Moved Firewalling
    22 Posts 5 Posters 8.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      aeropilot
      last edited by

      Hi.

      I'm trying to let MS RDP-traffic through the firewall, so I have created both a NAT-rule to route the traffic, and the corresponding firewall rule is also created.

      Internally I can connect to the MS RDP service

      When I connect from outside I can see that the package is being dropped in the System Logs - Firewall tab, and when i click the cross it says:

      The rule that triggered the action is:
      @275 block drop in log quick all label "Default block all just to be sure"

      In my firewall rules list I only have one blocking rule (the one for blocking bogus networks), and have tried to disable it with no luck. I have a bunch of other rules to allow normal server traffic ports to pass (25, 80, etc.) and they all work.

      Can anyone point me in the direction of what/why there apparently is a rule that I cannot find or disable?

      Best regards
      Klaus

      1 Reply Last reply Reply Quote 0
      • S
        sh_man
        last edited by

        The default rule is not "visible" - it is just that - a default rule.

        On the WAN interface there is a default rule that blocks all traffic - you then let only the traffic through that you need.

        What exactly was the rule that you created on the WAN interface to let the RDP through?

        1 Reply Last reply Reply Quote 0
        • A
          aeropilot
          last edited by

          Hi again.

          I have uploaded 2 screenshots of my rules. Hopes this helps

          All my rules:

          The specific rule for 3389:

          1 Reply Last reply Reply Quote 0
          • S
            sh_man
            last edited by

            The rule looks OK.

            Can you take a screen dump of the log line with the blocked traffic in (not the popup when you click the red X)

            1 Reply Last reply Reply Quote 0
            • jahonixJ
              jahonix
              last edited by

              Did you port forward 3389 to your internal IP by NATting as well?

              Something like:
              WAN  |  TCP  |  ext.port (12345)  |  10.10.0.10  |  3389 (MS RDP)  |  RDP -> MS-machine

              This way you have to connect to your external IP on port 12345 to reach your 10.10.0.10:3389

              1 Reply Last reply Reply Quote 0
              • H
                hoba
                last edited by

                Yes, please show us the firewall block log and your nat-rule as well.

                1 Reply Last reply Reply Quote 0
                • A
                  aeropilot
                  last edited by

                  Hi All.

                  Sorry for the delay. I did a new install of PfSense 1.2 and recreated all my rules, and now it works.

                  My guess is that somehow the firewall rule was not loaded, since it was blocked by the default rule.

                  Thanks for your quick responses.
                  Best regards
                  Klaus

                  1 Reply Last reply Reply Quote 0
                  • H
                    hoba
                    last edited by

                    My suspicion is that you had "any" in your nat rule instead of "interface IP". This is a common error that some people make when setting up NAT the first time. I guess you just did it right the second time but I guess we'll never know now. Glad you got it working though :-)

                    1 Reply Last reply Reply Quote 0
                    • A
                      aeropilot
                      last edited by

                      Hi.

                      Sorry about that  - I was just too eager to fix it :-\

                      Just for the record I tried to change the NAT-rule on the new installation to 'any' and reset states. I could still connect from the outside. But then again its not the original rule, and there is a great probability that I might have messed something up ;)

                      1 Reply Last reply Reply Quote 0
                      • ?
                        A Former User
                        last edited by

                        Hi

                        I have really a similar issue.

                        I try to forward my SIP traffic from Port 5060 to my internal Asterisk Server but pfsens block all my sip traffic

                        The rule that triggered the action is:
                        @702 block drop in log quick all label "Default block all just to be sure"

                        I also upgrade to Pfsense 1.2 but i don't help, I don't create all my config new I do a restore.

                        thanx for your help

                        Mike

                        1 Reply Last reply Reply Quote 0
                        • H
                          hoba
                          last edited by

                          You have to show us the nat rule and the firewallrule or we can't help you.

                          1 Reply Last reply Reply Quote 0
                          • ?
                            A Former User
                            last edited by

                            What is the best way? A Printscreen or the config files?

                            thx mike

                            1 Reply Last reply Reply Quote 0
                            • ?
                              A Former User
                              last edited by

                              here are the xml part form the NAT Section

                              • <nat><ipsecpassthru>- <rule><protocol>tcp</protocol>
                                  <external-port>22</external-port>
                                  <target>192.168.1.16</target>
                                  <local-port>22</local-port>
                                  <interface>wan</interface>
                                  <descr>SSH Server Enif</descr></rule>
                              • <rule><protocol>tcp</protocol>
                                  <external-port>80</external-port>
                                  <target>192.168.20.14</target>
                                  <local-port>80</local-port>
                                  <interface>wan</interface>
                                  <descr>Web Server Scutum</descr></rule>
                              • <rule><protocol>udp</protocol>
                                  <external-port>5060-5062</external-port>
                                  <target>192.168.1.15</target>
                                  <local-port>5060</local-port>
                                  <interface>wan</interface>
                                  <descr>SIP</descr></rule>
                              • <rule><protocol>udp</protocol>
                                  <external-port>10000-10200</external-port>
                                  <target>192.168.1.15</target>
                                  <local-port>10000</local-port>
                                  <interface>wan</interface>
                                  <descr>RTP</descr></rule>
                              • <advancedoutbound>- <rule>- <source>
                                  <network>192.168.1.0/24</network>

                              <sourceport><descr>LAN –> WAN</descr>
                                <target><interface>wan</interface>

                              • <destination><any></any></destination>
                                  <natport></natport></target></sourceport></rule>
                              • <rule>- <source>
                                  <network>192.168.30.0/24</network>

                              <sourceport><descr>WLAN --> WAN</descr>
                                <target><interface>wan</interface>

                              • <destination><any></any></destination>
                                  <natport></natport></target></sourceport></rule>
                              • <rule>- <source>
                                  <network>192.168.20.0/24</network>

                              <sourceport><descr>DMZ --> WAN</descr>
                                <target><interface>wan</interface>

                              • <destination><any></any></destination>
                                  <natport></natport></target></sourceport></rule>
                                  <enable></enable></advancedoutbound></ipsecpassthru></nat>

                              and rules:

                              • <filter>- <rule><type>pass</type>
                                  <interface>wan</interface>
                                  <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
                                  <os><max-src-conn-rate>1</max-src-conn-rate>
                                  <max-src-conn-rates>10</max-src-conn-rates>
                                  <protocol>tcp</protocol>
                              • <source>
                                  <any>- <destination><address>192.168.1.16</address>

                              <port>22</port></destination>
                                <log><descr>NAT SSH Server Enif</descr></log></any></os></statetimeout></max-src-states></max-src-nodes></rule>

                              • <rule><type>pass</type>
                                  <interface>wan</interface>
                                  <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
                                  <os><protocol>tcp</protocol>
                              • <source>
                                  <any>- <destination><any><port>443</port></any></destination>
                                  <log><descr>OpenVPN Server ( spez. inport https )</descr></log></any></os></statetimeout></max-src-states></max-src-nodes></rule>
                              • <rule><type>pass</type>
                                  <interface>wan</interface>
                                  <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
                                  <os><protocol>tcp</protocol>
                              • <source>
                                  <any>- <destination><address>192.168.20.14</address>

                              <port>80</port></destination>
                                <descr>NAT Web Server Scutum</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>

                              • <**rule>
                                  <type>pass</type>
                                  <interface>wan</interface>
                                  <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
                                  <os><protocol>udp</protocol>

                              • <source>
                                  <network>wanip</network>

                              • <destination><address>192.168.1.15</address>

                              <port>5060-5062</port></destination>
                                <log><descr>NAT SIP</descr></log></os></statetimeout></max-src-states></max-src-nodes>**

                              • <rule><type>pass</type>
                                  <interface>wan</interface>
                                  <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
                                  <os><protocol>tcp</protocol>

                              • <source>
                                  <network>wanip</network>

                              • <destination><network>opt2</network></destination></os></statetimeout></max-src-states></max-src-nodes></rule>

                              • **<rule><type>pass</type>
                                  <interface>wan</interface>
                                  <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
                                  <os><protocol>udp</protocol>

                              • <source>
                                  <any>- <destination><address>192.168.1.15</address>

                              <port>10000-10200</port></destination>
                                <log><descr>NAT RTP</descr></log></any></os></statetimeout></max-src-states></max-src-nodes></rule>**

                              • <rule><type>pass</type>
                                  <interface>opt2</interface>
                                  <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
                                  <os>- <source>
                                  <network>opt2</network>

                              • <destination><network>lan</network></destination></os></statetimeout></max-src-states></max-src-nodes></rule>

                              • <rule><type>pass</type>
                                  <interface>opt1</interface>
                                  <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
                                  <os>- <source>
                                  <network>opt1</network>

                              • <destination><network>wanip</network></destination></os></statetimeout></max-src-states></max-src-nodes></rule>

                              • <rule><type>pass</type>
                                  <interface>opt1</interface>
                                  <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
                                  <os><protocol>tcp/udp</protocol>

                              • <source>
                                  <network>opt1</network>
                                  <port>22</port>

                              • <destination><network>lan</network>
                                  <port>22</port></destination></os></statetimeout></max-src-states></max-src-nodes></rule>

                              • <rule><type>pass</type>
                                  <descr>Default LAN -> any</descr>
                                  <interface>lan</interface>

                              • <source>
                                  <network>lan</network>

                              • <destination><any></any></destination></rule>

                              • <rule><interface>enc0</interface>
                                  <type>pass</type>

                              • <source>
                                  <any>- <destination><any></any></destination>
                                  <descr>Permit IPSEC traffic.</descr>
                                  <statetype>keep state</statetype></any></rule></filter>

                              thx mike

                              1 Reply Last reply Reply Quote 0
                              • H
                                hoba
                                last edited by

                                You should forward and allow tcp for the 506x ports too. The higher ports should be udp only but depending on the implementation it might need tcp there too ( http://en.wikipedia.org/wiki/Session_Initiation_Protocol ).

                                1 Reply Last reply Reply Quote 0
                                • ?
                                  A Former User
                                  last edited by

                                  Ok

                                  I change this, but for me total unclear is why pfsense block my traffic that I want to pass?

                                  thx mike

                                  1 Reply Last reply Reply Quote 0
                                  • H
                                    hoba
                                    last edited by

                                    Show us the exact line of the block that you thin that should be a pass. Your firewallrules are somehow wrong. There is no other reason why it should block traffic besides of that.

                                    1 Reply Last reply Reply Quote 0
                                    • ?
                                      A Former User
                                      last edited by

                                      hi

                                      that's the Bold on's in the previous post, here only this on:

                                      NAT:

                                      <rule><protocol>udp</protocol>
                                        <external-port>5060-5062</external-port>
                                        <target>192.168.1.15</target>
                                        <local-port>5060</local-port>
                                        <interface>wan</interface>
                                        <descr>SIP</descr></rule>

                                      Rules:

                                      <rule><type>pass</type>
                                        <interface>wan</interface>
                                        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
                                        <os><protocol>udp</protocol>

                                      • <source>
                                          <network>wanip</network>

                                      • <destination><address>192.168.1.15</address>

                                      <port>5060-5062</port></destination>
                                        <log><descr>NAT SIP</descr></log></os></statetimeout></max-src-states></max-src-nodes></rule>

                                      thx mike

                                      1 Reply Last reply Reply Quote 0
                                      • H
                                        hoba
                                        last edited by

                                        I was able to read the bold text the first time already  ;)

                                        I wanted to see the exact line of the block from status>systemlogs, firewall.

                                        1 Reply Last reply Reply Quote 0
                                        • ?
                                          A Former User
                                          last edited by

                                          sorry

                                          here the line:

                                          "Mar 17 20:35:36  WAN  62.65.128.62:5060  192.168.1.15:5060  UDP"

                                          mike

                                          1 Reply Last reply Reply Quote 0
                                          • H
                                            hoba
                                            last edited by

                                            On the portforward, do you happen to have external adress set to "any" instead of the interface IP?

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.