Update to 2.1.5 destroyed Port forwarding completely



  • Hello

    Just made in inplace (auto) update from 2.0.1 to 2.1.5. After reboot none of the portfowards are working anymore.
    I can configure/reconfigure what every I want, nothing helps. Rebooted many times, cleaned out all existing rules and recreated it new,  etc.

    Removed and configured port forwards again with filter rules or just pass, no success
    Outbound nat is set to default (automatic outbound nat rule generation)
    I can even create a specific rule from my ip address to the ip behind the firewall, port forward isn't working.
    Filter log shows nothing interesting.

    In pfctl -sn are some very strange entries which not really make sense.  Are there any ideas why this happend?

    Pfctl -sn output:

    no nat proto carp all
    nat-anchor "natearly/" all
    nat-anchor "natrules/
    " all
    nat on pppoe0 inet from 192.168.5.0/24 port = isakmp to any port = isakmp -> 213.xxx.228.27 port 500
    nat on pppoe0 inet from 10.0.0.0/24 port = isakmp to any port = isakmp -> 213.xxx.228.27 port 500
    nat on pppoe0 inet from 10.254.1.0/24 port = isakmp to any port = isakmp -> 213.xxx.228.27 port 500
    nat on pppoe0 inet from 127.0.0.0/8 port = isakmp to any port = isakmp -> 213.xxx.228.27 port 500
    nat on pppoe0 inet from 192.168.5.0/24 to any -> 213.xxx.228.27 port 1024:65535
    nat on pppoe0 inet from 10.0.0.0/24 to any -> 213.xxx.228.27 port 1024:65535
    nat on pppoe0 inet from 10.254.1.0/24 to any -> 213.xxx.228.27 port 1024:65535
    nat on pppoe0 inet from 127.0.0.0/8 to any -> 213.xxx.228.27 port 1024:65535
    no rdr proto carp all
    rdr-anchor "relayd/" all
    rdr-anchor "tftp-proxy/
    " all
    rdr pass on pppoe0 inet proto tcp from any to 213.xxx.228.27 port = 22222 -> 192.168.5.100 port 22
    rdr pass on vr0 inet proto tcp from any to 213.xxx.228.27 port = 22222 -> 192.168.5.100 port 22
    rdr pass on openvpn inet proto tcp from any to 213.xxx.228.27 port = 22222 -> 192.168.5.100 port 22
    rdr pass on pppoe0 inet proto tcp from any to 213.xxx.228.27 port = ssh -> 192.168.5.100
    rdr pass on vr0 inet proto tcp from any to 213.xxx.228.27 port = ssh -> 192.168.5.100
    rdr pass on openvpn inet proto tcp from any to 213.xxx.228.27 port = ssh -> 192.168.5.100
    rdr pass on pppoe0 inet proto tcp from any to 213.xxx.228.27 port = 10443 -> 192.168.5.100 port 443
    rdr on vr0 inet proto tcp from any to 213.xxx.228.27 port = 10443 tag PFREFLECT -> 127.0.0.1 port 19000
    rdr on openvpn inet proto tcp from any to 213.xxx.228.27 port = 10443 tag PFREFLECT -> 127.0.0.1 port 19000
    rdr on pppoe0 inet proto tcp from any to 213.xxx.228.27 port = 3389 -> 192.168.5.110
    rdr-anchor "miniupnpd" all



  • Just recognized that outgoing connections also completely broken. But there is a rule which allows LAN->any any
    Very strange



  • Port forwarding doesn't break by upgrading. It's almost certainly something that would have happened upon reboot, or in much rarer cases something wasn't right to begin with but worked by coincidence.

    Why do you have the same port forwards on both vr0 and pppoe0?
    What does your port forward screen look like?
    Is 213.xxx.228.27 your correct WAN IP? Could have been manually configured to something static that isn't really static and you got a different IP post-reboot, is why I ask.
    Is there something else that prompted you to refer to "very strange entries"? Aside from having the same port forwards on two interfaces, the remainder looks normal.


Log in to reply