Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port Forward to DMZ / Web FTP Server

    Scheduled Pinned Locked Moved NAT
    3 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      philipp
      last edited by

      Hello from Austria,

      I already read dozens of threads about port forwarding, but I don't know, either it really don't work or I'm to stupid  ;)
      We will change from a Zywall USG to pfSense. On the Zywall everything worked, but I'm not getting it worked here.

      My setup is the following:

      Wan IP is 178.x.x.220
      Gateway 178.x.x.217
      Subnetmask 255.255.255.248
      Usable IPs are .220, .221, .222 (only these three because the modem using the others for HSRP (HA with cellular modem))

      I have 3 Interfaces, WAN, LAN and DMZ.
      I can connect from LAN to DMZ, and DMZ has Internet access but not LAN access. This is ok.

      But I cant get from WAN to my FTP-Server in DMZ.

      I created an Firewall Alias CrushFTPServer with Internal DMZ IP 10.99.100.10
      and an Port Alias CrushFTPPorts "80, 443, 21, 990".

      Then I created a virtual IP (Screenshot 1)
      With this virtual IP I created a new Port Forwarding. (screenshot2 and screenshot3).

      This creates a new firewall rule. Also I post my whole firewall rules (screenshot 4-6).

      Now when Im trying to connect to my public IP .221 I get no response.
      I tried "Diagnostics: Packet Capture" on my IP .221 with the result:
      23:23:20.070496 IP 129.x.x.11.50385 > 178.x.x.221.80: tcp 0

      It looks like something get to the firewall but not further. I also tried the Packet
      Capture with "full" mode, but I cant read the output.

      23:26:29.301441 f8:71:ea:34:42:60 > 00:0d:b9:31:c2:48, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 52, id 63928, offset 0, flags [DF], proto TCP (6), length 64)
          129.x.x.11.50428 > 178.x.x.221.80: Flags [ S ], cksum 0xd2b6 (correct), seq 1048881925, win 65535, options [mss 1240,nop,wscale 4,nop,nop,TS val 299519922 ecr 0,sackOK,eol], length 0

      Did I forget something, or did a false configuration?

      Thanks in advance,
      Philipp

      PS: I'm no native english speaker, so I hope you understand what I mean :)

      screenshot1.jpg
      screenshot1.jpg_thumb
      screenshot2.jpg
      screenshot2.jpg_thumb
      screenshot3.jpg
      screenshot3.jpg_thumb
      screenshot4.jpg
      screenshot4.jpg_thumb
      screenshot5.jpg
      screenshot5.jpg_thumb
      screenshot6.jpg
      screenshot6.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • P
        philipp
        last edited by

        I found something weird.

        It works if I dont use the alias as NAT IP (screenshot7). Is it not possible to use the alias for the same IP-Address?
        It works now.

        screenshot7.jpg
        screenshot7.jpg_thumb

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          Well what was your alias - could pfsense resolve what was in your alias as that IP, did you have some name in there that resolved to something else?

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.