Can not foward ports
-
I am running 2.15 and am having problems setting up port fowarding for POP and SMTP
I currently have a ADSL router connected to my WAN port, and appreciate that I have double NAT going on.
I have followed the setup here http://www.vircom.com/security/howto-setup-pfsense-firewall/?doing_wp_cron=1420023961.0645000934600830078125 but using POP3 and SMTP. But when I check using http://www.yougetsignal.com/tools/open-ports/ on any PC connected to the LAN port (via a switch), ports 110 and 25 are shown as closed?
In firewall logs I find that trarffic is being blocked with a TCP-S marker which suggests that I am using the wroung rule setup. However I have googled a number of pfsense port fowarding guides, and they all show the same setup to what I have used? I have also looked at the pfsense port fowarding trouble shooting guide too.
Instead of WAN addess for destination, I have tried using the gateway adress of the ADSL router (192.168.2.1) instead but this has no efffect, I am using a 192.168.1.x network for LAN
I just cant get it to work and would be grateful for assistance.
Is the problem that I have double NAT, and would setting the ADSL router into bridge mode, so that I only have a single NAT solve the problem?
I use a VPN set up on one PC using the VPN vendors software to connect (AirVPN), with VPN set up I am able to access ports 110 and 25 correctly, but obviously this only works on this PC
-
I should add that I have followed the trouble shooting guide here https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
Under Diagnostics > States no entries are found relating to ports 110 and 25?
I have tried disabling the antivirus software on each PC too, but this has no effect
From the firewall log, this is what I get when trying port 110
block Dec 31 12:22:08 LAN Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List 192.168.1.2:51051 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic 65.20.0.43:110 TCP:S
192.168.1.2 is the PC to which I am trying to port forward to.
I am running Snort and Squid, but was having the same probelm before they were installed. Pausing them has no effect.
-
"I currently have a ADSL router connected to my WAN port, and appreciate that I have double NAT going on."
Did you uncheck to block private IPs on your wan? You also want to make sure that network you have on wan is different than your lan.
And unless I am reading this wrong - why would you be doing a port forward?? Looks like 192.168.1.2 from source port 51051 is trying to talk to 65.20.0.43:110, that is NOT a port forward - that is simple firewall rule to allow that traffic out. Which would be allowed by the default any any rule - that you must of changed? Or is this network on opt interface that you did not create any rules on.
That sure looks like a mail server to me
; ANSWER SECTION:
43.0.20.65.in-addr.arpa. 86400 IN PTR mail.btinternet.bt.lon5.cpcloud.Mail server would not be talking inbound to you on port 110, you would be talking to it on 110 (pop) and 25 smtp, etc.. You sure your isp does not block 25.. Maybe isp will block outbound on 25 to anything other than their smtp server on residential connections.
-
Thanks for your reply, I have checked and "Block Private Networks" and it is not clicked.
Upon a fresh installation of pfSense, I was not able to send or recieve email from any PC connected to the LAN port by a switch. I am using ports 110 POP3 and 587 SMTP (and have tried 25 too).
The only way that I can recieve email at present is via a VPN client programme on a single PC
I thought that the popular ports would be passed by the firewall by default? It was due to me not being able to send and recieve email that I thought that I needed to port foward the assciated ports?
I have created a port forward for 110 to 192.68.1.2 and a seperate firewire rule to allow 110 to 192.168.1.2, looking at the firewall log 110 traffic is blocked?
I have deleted the port foward leaving the firewall rule to allow 110 to 192.168.1.2, but again traffic is blocked?
I am very new to pfSense, ultimately what I am trying to ensure is that that all PC's on the LAN network can send and recieve email.
![110 Blocked.jpg](/public/imported_attachments/1/110 Blocked.jpg)
![110 Blocked.jpg_thumb](/public/imported_attachments/1/110 Blocked.jpg_thumb) -
Again your NOT wanting a port forward.. Port forwards are for unsolicited inbound traffic to your private IP..
So your email server is this IP.. 65.20.0.43 That is a IP on the public NET.. I can talk to it just fine on port 25
telnet 65.20.0.43 25
Trying 65.20.0.43…
Connected to 65.20.0.43.
Escape character is '^]'.
220 rgout02.bt.lon5.cpcloud.co.uk ESMTP Service readyWhat is your LAN rules?? This is where you allow traffic to the internet, port forwards would be if you were running the mail server on 192.168.1.2, and you wanted me to be able to talk to it from my public IP address.
So for example your public IP lets say is 1.2.3.4, and I am on 5.6.7.8, and you are running a mail server on 192.168.1.2 behind your public IP 1.2.3.4 -- you would port forward port 25 to 192.168.1.2 -- then if someone on the internet connected to 1.2.3.4 on port 25 it would be fowarded to 192.168.1.2 on port 25.
This is NOT what you want if your just trying to talk to some mailserver on the internet -- you need to allow this traffic. What are your LAN rules, that is what blocking it.. Your block in your log shows that 192.168.1.2 coming from source port of 52550 is trying to talk to 65.20.0.43 on port 110 (pop3) to get mail - and pfsense blocked that.. because you have edited the lan rules, or deleted the any any rule??
Keep in mind that if this is not your ISP smtp server traffic to specific ports for email might blocked.. I have never heard of 110 being blocked - but 25 is blocked all the time.. comcast does not allow me to talk to that server on 25 for example. I have to use one of my vps on the public internet to access it like above. But in your current setup pfsense is blocking you from even trying to go to the internet on that port. So please post your LAN rules. And your floating rules should be empty.
-
Please find attached screenshots for WAN and LAN rules
I have now found that by moving the "Default allow LAN to any rule rule above the pfBlocker rules, that I am able to access email on all PC's, so I guess that one or more of the pfBlocker rules were stopping email.
This is strange on an initial install of pfSense, with default rules, I was not able to get email working on all PC's. I subsequently installed Snort, Squid and pfBlocker
Thank you very much for your help, I have the pfSense 2 Cookbook, but have found it useless
![WAN Rules.jpg](/public/imported_attachments/1/WAN Rules.jpg)
![WAN Rules.jpg_thumb](/public/imported_attachments/1/WAN Rules.jpg_thumb)
![LAN Rules 2.jpg](/public/imported_attachments/1/LAN Rules 2.jpg)
![LAN Rules 2.jpg_thumb](/public/imported_attachments/1/LAN Rules 2.jpg_thumb) -
You do understand that all of the pfblocker rules as listed are completely useless.. Since you have now have a rule that allows any any above them all.
If pfblocker was blocking access then it would of listed that as the rule - you seem to have descriptions turned off, see attachment
I agree the cookbook is not going to be a lot of help if don't understand basic concepts, like what a port forward is and when it would be used ;)
To be honest turning on all those packages and filtering like snort and pfblocker is more than likely just going to cause stuff not to work, using squid - you are familiar with what a proxy is and how it works?
I would suggest you install pfsense clean, leave the deafult rule of any any and slowing add functionality that you are atleast somewhat familiar with on functionality.. You have like a bizillion auto pfblocker rules.. Do you know what all those rules are suppose to be blocking? Do you need those blocked?
I would pick a package 1 at a time to install and setup. Snort can if not configured correctly block all sorts of traffic that you would normally want to allow for example.. Same with pfblocker - maybe what your trying to access is blocked by one of those aliases you have listed - like every single one of them ;) Really why??
So you mention that email was not working on clean install - so your thought process is to install all kinds of packages and proxy that block even more stuff?? Just really confused with that logic..
-
Thanks again for your reply, I did find it strange that port fowarding would be used for common ports, as my previous experience is that I have only had to use this for specialist software and games.
I am aware that pfBlocker rules are currently useless, what I am now looking to do is move the default LAN rule down the list one at a time to find the pfBlocker rule which is preventing email. Once I have found the culprit I can then delete it.
I am fairly familar with proxy, but must admit that it is not really needed in a home evironment, I can see the use in the commercial world where you may have many users all wanting the same web page!
I do take on board your comment about loading one application at a time, rather then loading several at once and then finding out there are problems. I guess that it is just impatience on my part.
As new user it is great to see a users community out there willing to help, I know you would not get this if you have just paid ££££ for a new Jupiter device, unless you have a service contract every call to a helpdesk would be chargeable.