Port Forward to DMZ / Web FTP Server
Hello from Austria,
I already read dozens of threads about port forwarding, but I don't know, either it really don't work or I'm to stupid ;)
We will change from a Zywall USG to pfSense. On the Zywall everything worked, but I'm not getting it worked here.
My setup is the following:
Wan IP is 178.x.x.220
Usable IPs are .220, .221, .222 (only these three because the modem using the others for HSRP (HA with cellular modem))
I have 3 Interfaces, WAN, LAN and DMZ.
I can connect from LAN to DMZ, and DMZ has Internet access but not LAN access. This is ok.
But I cant get from WAN to my FTP-Server in DMZ.
I created an Firewall Alias CrushFTPServer with Internal DMZ IP 10.99.100.10
and an Port Alias CrushFTPPorts "80, 443, 21, 990".
Then I created a virtual IP (Screenshot 1)
With this virtual IP I created a new Port Forwarding. (screenshot2 and screenshot3).
This creates a new firewall rule. Also I post my whole firewall rules (screenshot 4-6).
Now when Im trying to connect to my public IP .221 I get no response.
I tried "Diagnostics: Packet Capture" on my IP .221 with the result:
23:23:20.070496 IP 129.x.x.11.50385 > 178.x.x.221.80: tcp 0
It looks like something get to the firewall but not further. I also tried the Packet
Capture with "full" mode, but I cant read the output.
23:26:29.301441 f8:71:ea:34:42:60 > 00:0d:b9:31:c2:48, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 52, id 63928, offset 0, flags [DF], proto TCP (6), length 64)
129.x.x.11.50428 > 178.x.x.221.80: Flags [ S ], cksum 0xd2b6 (correct), seq 1048881925, win 65535, options [mss 1240,nop,wscale 4,nop,nop,TS val 299519922 ecr 0,sackOK,eol], length 0
Did I forget something, or did a false configuration?
Thanks in advance,
PS: I'm no native english speaker, so I hope you understand what I mean :)
I found something weird.
It works if I dont use the alias as NAT IP (screenshot7). Is it not possible to use the alias for the same IP-Address?
It works now.
Well what was your alias - could pfsense resolve what was in your alias as that IP, did you have some name in there that resolved to something else?