Port Forward to DMZ / Web FTP Server

  • Hello from Austria,

    I already read dozens of threads about port forwarding, but I don't know, either it really don't work or I'm to stupid  ;)
    We will change from a Zywall USG to pfSense. On the Zywall everything worked, but I'm not getting it worked here.

    My setup is the following:

    Wan IP is 178.x.x.220
    Gateway 178.x.x.217
    Usable IPs are .220, .221, .222 (only these three because the modem using the others for HSRP (HA with cellular modem))

    I have 3 Interfaces, WAN, LAN and DMZ.
    I can connect from LAN to DMZ, and DMZ has Internet access but not LAN access. This is ok.

    But I cant get from WAN to my FTP-Server in DMZ.

    I created an Firewall Alias CrushFTPServer with Internal DMZ IP
    and an Port Alias CrushFTPPorts "80, 443, 21, 990".

    Then I created a virtual IP (Screenshot 1)
    With this virtual IP I created a new Port Forwarding. (screenshot2 and screenshot3).

    This creates a new firewall rule. Also I post my whole firewall rules (screenshot 4-6).

    Now when Im trying to connect to my public IP .221 I get no response.
    I tried "Diagnostics: Packet Capture" on my IP .221 with the result:
    23:23:20.070496 IP 129.x.x.11.50385 > 178.x.x.221.80: tcp 0

    It looks like something get to the firewall but not further. I also tried the Packet
    Capture with "full" mode, but I cant read the output.

    23:26:29.301441 f8:71:ea:34:42:60 > 00:0d:b9:31:c2:48, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 52, id 63928, offset 0, flags [DF], proto TCP (6), length 64)
        129.x.x.11.50428 > 178.x.x.221.80: Flags [ S ], cksum 0xd2b6 (correct), seq 1048881925, win 65535, options [mss 1240,nop,wscale 4,nop,nop,TS val 299519922 ecr 0,sackOK,eol], length 0

    Did I forget something, or did a false configuration?

    Thanks in advance,

    PS: I'm no native english speaker, so I hope you understand what I mean :)

  • I found something weird.

    It works if I dont use the alias as NAT IP (screenshot7). Is it not possible to use the alias for the same IP-Address?
    It works now.

  • LAYER 8 Global Moderator

    Well what was your alias - could pfsense resolve what was in your alias as that IP, did you have some name in there that resolved to something else?

Log in to reply