4. Port Forward to DMZ / Web FTP Server

Port Forward to DMZ / Web FTP Server

  • P

    Hello from Austria,

    I already read dozens of threads about port forwarding, but I don't know, either it really don't work or I'm to stupid  ;)
    We will change from a Zywall USG to pfSense. On the Zywall everything worked, but I'm not getting it worked here.

    My setup is the following:

    Wan IP is 178.x.x.220
    Gateway 178.x.x.217
    Subnetmask 255.255.255.248
    Usable IPs are .220, .221, .222 (only these three because the modem using the others for HSRP (HA with cellular modem))

    I have 3 Interfaces, WAN, LAN and DMZ.
    I can connect from LAN to DMZ, and DMZ has Internet access but not LAN access. This is ok.

    But I cant get from WAN to my FTP-Server in DMZ.

    I created an Firewall Alias CrushFTPServer with Internal DMZ IP 10.99.100.10
    and an Port Alias CrushFTPPorts "80, 443, 21, 990".

    Then I created a virtual IP (Screenshot 1)
    With this virtual IP I created a new Port Forwarding. (screenshot2 and screenshot3).

    This creates a new firewall rule. Also I post my whole firewall rules (screenshot 4-6).

    Now when Im trying to connect to my public IP .221 I get no response.
    I tried "Diagnostics: Packet Capture" on my IP .221 with the result:
    23:23:20.070496 IP 129.x.x.11.50385 > 178.x.x.221.80: tcp 0

    It looks like something get to the firewall but not further. I also tried the Packet
    Capture with "full" mode, but I cant read the output.

    23:26:29.301441 f8:71:ea:34:42:60 > 00:0d:b9:31:c2:48, ethertype IPv4 (0x0800), length 78: (tos 0x0, ttl 52, id 63928, offset 0, flags [DF], proto TCP (6), length 64)
        129.x.x.11.50428 > 178.x.x.221.80: Flags [ S ], cksum 0xd2b6 (correct), seq 1048881925, win 65535, options [mss 1240,nop,wscale 4,nop,nop,TS val 299519922 ecr 0,sackOK,eol], length 0

    Did I forget something, or did a false configuration?

    Thanks in advance,
    Philipp

    PS: I'm no native english speaker, so I hope you understand what I mean :)












    0
  • P

    I found something weird.

    It works if I dont use the alias as NAT IP (screenshot7). Is it not possible to use the alias for the same IP-Address?
    It works now.


    0
  • LAYER 8 Global Moderator

    Well what was your alias - could pfsense resolve what was in your alias as that IP, did you have some name in there that resolved to something else?

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy