Firewall rules and NAT



  • Not really sure where to start but here's a brief outline of where I'm upto. I've got an old BT modem and I've successfully managed to get it configured with my PFSENSE box in the middle with a switch connecting my old BT homehub 5. Everything is connected to it and my wireless is also working fine.

    Here's my problem, I've got a FreeNAS box also connected, of which I need to setup ftp access via a web browser for clients and I also use it for Plex and various torrent applications. I can't for the life of me get any of the Firewall rules or Port forwarding to work. I've opened ports before on the old BT gear so kind of know what i'm doing, however I'm wondering if this is some kind of config issue I'm not aware of?

    Even just trying to open up port 80 with all manner of different configs brings me no luck when I use a online "port open tool"

    Here's my config.

    External IP: 86.186.195.19
    gateway: 192.168.1.1
    freenas: 192.168.1.16

    my internal ftp server is on 192.168.1.16  (port21)

    So how should i have it configured to access my ftp server? as in the source, destination and destination port range?

    Also one final thought and I don't know if it makes any difference but my WAN setup is PPPoE rather than DHCP.

    Thanks In advance.  :)




  • Wrong Tab.
    first go to NAT->Port Forwarding and set up access there, thick automatic firewall rule generation (it will generate the linked firewall rule on WAN).



  • I've done it both ways, with all manner of setup options. Still no joy : (



  • I'm sure this has something to do with my config between the pfsense box and the old BT modem. I just can't get any ports to open. Is it possible the modem is locked down somehow?



  • If your modem is not running in bridge mode, there is a very good chance it's blocking the incoming connections.



  • Is there a way to test if it's in bridge mode? I don't think I can connect into it?



  • Is PFSense getting public or private IP address? I know you mentioned you have an "external" IP, but to me that does not indicate what IP you are actually being given.



  • It's a public IP as far as i'm aware. I've managed to set DDNS up with "no-IP" and I've noticed it change after a couple of reboots.



  • Netgate Administrator

    That 'modem' only has bridge mode unless you unlock it, which you haven't.  ;) You have the correct public address on the pfSense WAN.

    How are you testing the portforward? It must be tested from outside your network. See:
    https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

    I would use some other DynDNS provider as No-IP give me endless trouble. You pretty much need to change your IP at least every 21days or use their payed service.

    Steve



  • Hi Stephen, The new Echolife HG612 has just arrived this morning so I'm going to have a play with that later. As for the testing of port forwarding I've been using http://www.canyouseeme.org/ I've tested ports in the past from my browser at home and this always seemed to be accurate? And I've actually got the paid service with No-IP as the 30day limit was driving me nuts also. : )

    One question: If i can get this HG612 into bridged mode I take it I still need to set the WAN up in PPPoE and not DHCP? I'll just need to disable NAT and DHCP on it?

    It also states it's using firmware version V100R001C01B028SP10, not sure If I need to flash it with a newer version?

    Thanks again mate  :)


  • Netgate Administrator

    All the Openreach modems are in fact routers that have been locked into bridge mode. Unless they have been unlocked you do not need to configure them at all. You should be able to talk to the BT end using PPPoE. You appear to have set that up successfully already since you have a public IP on your WAN.

    Do you see anything in the firewall logs?

    Please post screenshots of your firewall rules and port forwards.

    Steve



  • I've installed the new HG612 modem and I still can't seem to get this working. I had to change a few of the setting initially to get my pfsense box to pick it up on the WAN. I wasn't sure if I needed to change the Routing config on the modem as per the bottom attachments.


















  • Here the firewall log also…When I click the red x it states for all of them: @3 block drop in log inet all label default deny rule ipv4




  • You're seeing UDP blocked on WAN because your WAN rules only allow TCP.



  • I don't know if it can help but check your modem has firewall off.


  • Netgate Administrator

    All those firewall hits are just random traffic from the internet being blocked, correctly.
    Were you trying to connect to the port forwards during the time that log was taken?

    I've never had an unlocked HG612 to play with so I can't really advise you on that. However both my Openreach modems here have no problems passing traffic of any kind. It's hard to see how that could be playing much of a role here anyway since your public IP is on the pfSense WAN.

    FTP can sometimes behave oddly anyway I would test with HTTP to prove you have it working. All your screenshots look good to me though.  :-\

    The most likely explanation seems to be that the test traffic simply isn't arriving for whatever reason. Can you ask someone else to test externally? Or use a 3g connection etc?

    Steve


  • LAYER 8 Netgate

    Yup.  Your config looks good.  You sure your provider isn't filtering inbound ftp http?



  • As soon as I put my HH5 back in and set that up as before I can get FTP working straight away, along with all the other rules I need. So It can't be the ISP. I've tried that many different config firewall/port rules in pfsense that I'm sure it has something to do with the config between the HG612 and pfsense. I've spent hours with it now and I'm close to calling it a day. I'm thinking of getting one of these http://www.draytek.com/index.php?option=com_k2&view=item&id=5240&Itemid=3810&lang=en It looks a bit more user friendly and made for the job.


  • Netgate Administrator

    I used their v120 with adsl for a few years with great success. I wasn't aware of the v130 but I would expect it works well. However I doubt it will help with your issue. I can't believe the hg612 (especially one that's been unlocked) is doing anything by way of filtering.
    Are you using the same ppp login details on the HH5 and in pfSense?

    Incoming traffic on the WAN hits the port forwarder before the firewall so if there are no hits in the firewall it could be being forwarded incorrectly.
    Alternatively the port forward may be working correctly and the internal machine is not responding or maybe has changed IP address. I see you're using an alias for the internal machines, what is that resolving to?

    The next step here would be to check the states table to see if the incoming traffic is shown. You could also run a packet capture to check for packets on wan or lan.

    Steve


  • LAYER 8 Netgate

    @stephenw10:

    The next step here would be to check the states table to see if the incoming traffic is shown. You could also run a packet capture to check for packets on wan or lan.

    That's what I'd do next.  packet capture on WAN, look for SYN packets on tcp 80 or 21.  If they're there, capture on LAN and you will see them leaving translated.



  • Ok so I've got a little further today, I've manged to open up port 21 to enable public access to my ftp server but a few things are confusing me slightly. I tested the port was open with an on line port check program and it came back good, but when I entered the ftp address i couldn't access it from within my home network. My friend tested it from his house and could see it fine. I know I can access it by entering the ip address internally but beforehand with the old bt home hub i could still see it by entering the ftp address. Not that it matters but I was just curious as to why this was?

    My main issue now is that I can't seem to do the same for other ports? The only other port I've managed it with is https port 443

    Home PC- 192.168.1.40
    FreeNas server- 192.168.1.16

    I tried with http port 80 for example and I forwarded it to my PC and then also to the NAS as I'd had success that way with the ftp but it won't open?





  • Netgate Administrator

    The reason you can't test it from inside the network is this:
    https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

    There are some workarounds on that page.

    The second rule forwarding port 80 will never be hit because all traffic will be caught by the first rule.

    What are you running on the Home PC that's responding on port 80? Is it responding?

    Steve



  • Hi and thanks again Stephen  :)

    I'm not running anything on port 80, I just wanted to see if I could open it and then see it open in canyouseeme.org. The only other thing I need to get working now really are a few jails that are installed on my Freenas system, like Transmission and Sabnzdb. Here's how it's setup for example:

    FreeNAS 192.168.1.16

    Transmission Jail 192.168.1.3:9091

    SABnzdb jail 192.168.1.6:8080

    I think before on the homehub I just opened ports 9091 and 8080 and then forward them to the jail IP's, but this doesn't seem to be working this time. I'm getting myself confused if I need to forward these to the FreeNAS IP or the jails now!! arghh  :-\

    I did create another thread…thought it best to keep that part separate from this....https://forum.pfsense.org/index.php?topic=86485.0


  • Netgate Administrator

    Ah, well if there is nothing responding it might not show any differently. It depends how it's bring tested. The default action of the pfSense firewall is to silently drop unsolicited incoming traffic. It's forwarded to a machine that isn't listening on the port it may respond as closed. You would see that using a scan as Shields Up.

    Steve



  • ah, that would explain it…I guess this is where pfsense works differently from my old router?


  • Netgate Administrator

    Yes, possibly though I wouldn't have expected it to. Hard to say without testing the HH5.  :-\

    Steve



  • No matter what port I opened up on the HH5, regardless of whether it was in use or not, I could always get a "port open" response from http://www.canyouseeme.org/.


  • Netgate Administrator

    Conversly I have three high numbered ports open here and it can only 'see' one of them. It sees a port forwarded to a skype phone. It doesn't see a Skype port forwarded to a machine that's currently off (as expected). It doesn't see my openvpn server even though it's definitely listening.

    Steve


Log in to reply