Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall rules and NAT

    Scheduled Pinned Locked Moved General pfSense Questions
    28 Posts 6 Posters 4.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Jumbosausage
      last edited by

      Not really sure where to start but here's a brief outline of where I'm upto. I've got an old BT modem and I've successfully managed to get it configured with my PFSENSE box in the middle with a switch connecting my old BT homehub 5. Everything is connected to it and my wireless is also working fine.

      Here's my problem, I've got a FreeNAS box also connected, of which I need to setup ftp access via a web browser for clients and I also use it for Plex and various torrent applications. I can't for the life of me get any of the Firewall rules or Port forwarding to work. I've opened ports before on the old BT gear so kind of know what i'm doing, however I'm wondering if this is some kind of config issue I'm not aware of?

      Even just trying to open up port 80 with all manner of different configs brings me no luck when I use a online "port open tool"

      Here's my config.

      External IP: 86.186.195.19
      gateway: 192.168.1.1
      freenas: 192.168.1.16

      my internal ftp server is on 192.168.1.16  (port21)

      So how should i have it configured to access my ftp server? as in the source, destination and destination port range?

      Also one final thought and I don't know if it makes any difference but my WAN setup is PPPoE rather than DHCP.

      Thanks In advance.  :)

      Capture.PNG
      Capture.PNG_thumb

      1 Reply Last reply Reply Quote 0
      • W
        Wolf666
        last edited by

        Wrong Tab.
        first go to NAT->Port Forwarding and set up access there, thick automatic firewall rule generation (it will generate the linked firewall rule on WAN).

        Modem Draytek Vigor 130
        pfSense 2.4 Supermicro A1SRi-2558 - 8GB ECC RAM - Intel S3500 SSD 80GB - M350 Case
        Switch Cisco SG350-10
        AP Netgear R7000 (Stock FW)
        HTPC Intel NUC5i3RYH
        NAS Synology DS1515+
        NAS Synology DS213+

        1 Reply Last reply Reply Quote 0
        • J
          Jumbosausage
          last edited by

          I've done it both ways, with all manner of setup options. Still no joy : (

          1 Reply Last reply Reply Quote 0
          • J
            Jumbosausage
            last edited by

            I'm sure this has something to do with my config between the pfsense box and the old BT modem. I just can't get any ports to open. Is it possible the modem is locked down somehow?

            1 Reply Last reply Reply Quote 0
            • H
              Harvy66
              last edited by

              If your modem is not running in bridge mode, there is a very good chance it's blocking the incoming connections.

              1 Reply Last reply Reply Quote 0
              • J
                Jumbosausage
                last edited by

                Is there a way to test if it's in bridge mode? I don't think I can connect into it?

                1 Reply Last reply Reply Quote 0
                • H
                  Harvy66
                  last edited by

                  Is PFSense getting public or private IP address? I know you mentioned you have an "external" IP, but to me that does not indicate what IP you are actually being given.

                  1 Reply Last reply Reply Quote 0
                  • J
                    Jumbosausage
                    last edited by

                    It's a public IP as far as i'm aware. I've managed to set DDNS up with "no-IP" and I've noticed it change after a couple of reboots.

                    Capture.PNG
                    Capture.PNG_thumb

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S
                      stephenw10 Netgate Administrator
                      last edited by

                      That 'modem' only has bridge mode unless you unlock it, which you haven't.  ;) You have the correct public address on the pfSense WAN.

                      How are you testing the portforward? It must be tested from outside your network. See:
                      https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

                      I would use some other DynDNS provider as No-IP give me endless trouble. You pretty much need to change your IP at least every 21days or use their payed service.

                      Steve

                      1 Reply Last reply Reply Quote 0
                      • J
                        Jumbosausage
                        last edited by

                        Hi Stephen, The new Echolife HG612 has just arrived this morning so I'm going to have a play with that later. As for the testing of port forwarding I've been using http://www.canyouseeme.org/ I've tested ports in the past from my browser at home and this always seemed to be accurate? And I've actually got the paid service with No-IP as the 30day limit was driving me nuts also. : )

                        One question: If i can get this HG612 into bridged mode I take it I still need to set the WAN up in PPPoE and not DHCP? I'll just need to disable NAT and DHCP on it?

                        It also states it's using firmware version V100R001C01B028SP10, not sure If I need to flash it with a newer version?

                        Thanks again mate  :)

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S
                          stephenw10 Netgate Administrator
                          last edited by

                          All the Openreach modems are in fact routers that have been locked into bridge mode. Unless they have been unlocked you do not need to configure them at all. You should be able to talk to the BT end using PPPoE. You appear to have set that up successfully already since you have a public IP on your WAN.

                          Do you see anything in the firewall logs?

                          Please post screenshots of your firewall rules and port forwards.

                          Steve

                          1 Reply Last reply Reply Quote 0
                          • J
                            Jumbosausage
                            last edited by

                            I've installed the new HG612 modem and I still can't seem to get this working. I had to change a few of the setting initially to get my pfsense box to pick it up on the WAN. I wasn't sure if I needed to change the Routing config on the modem as per the bottom attachments.

                            5.PNG_thumb
                            a.PNG
                            5.PNG
                            4.PNG_thumb
                            4.PNG
                            3.PNG
                            2.PNG_thumb
                            1.PNG_thumb
                            1.PNG
                            3.PNG_thumb
                            2.PNG
                            a.PNG_thumb
                            b.PNG
                            b.PNG_thumb
                            c.PNG
                            c.PNG_thumb

                            1 Reply Last reply Reply Quote 0
                            • J
                              Jumbosausage
                              last edited by

                              Here the firewall log also…When I click the red x it states for all of them: @3 block drop in log inet all label default deny rule ipv4

                              Capture.PNG
                              Capture.PNG_thumb

                              1 Reply Last reply Reply Quote 0
                              • KOMK
                                KOM
                                last edited by

                                You're seeing UDP blocked on WAN because your WAN rules only allow TCP.

                                1 Reply Last reply Reply Quote 0
                                • W
                                  Wolf666
                                  last edited by

                                  I don't know if it can help but check your modem has firewall off.

                                  Modem Draytek Vigor 130
                                  pfSense 2.4 Supermicro A1SRi-2558 - 8GB ECC RAM - Intel S3500 SSD 80GB - M350 Case
                                  Switch Cisco SG350-10
                                  AP Netgear R7000 (Stock FW)
                                  HTPC Intel NUC5i3RYH
                                  NAS Synology DS1515+
                                  NAS Synology DS213+

                                  1 Reply Last reply Reply Quote 0
                                  • stephenw10S
                                    stephenw10 Netgate Administrator
                                    last edited by

                                    All those firewall hits are just random traffic from the internet being blocked, correctly.
                                    Were you trying to connect to the port forwards during the time that log was taken?

                                    I've never had an unlocked HG612 to play with so I can't really advise you on that. However both my Openreach modems here have no problems passing traffic of any kind. It's hard to see how that could be playing much of a role here anyway since your public IP is on the pfSense WAN.

                                    FTP can sometimes behave oddly anyway I would test with HTTP to prove you have it working. All your screenshots look good to me though.  :-\

                                    The most likely explanation seems to be that the test traffic simply isn't arriving for whatever reason. Can you ask someone else to test externally? Or use a 3g connection etc?

                                    Steve

                                    1 Reply Last reply Reply Quote 0
                                    • DerelictD
                                      Derelict LAYER 8 Netgate
                                      last edited by

                                      Yup.  Your config looks good.  You sure your provider isn't filtering inbound ftp http?

                                      Chattanooga, Tennessee, USA
                                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                      1 Reply Last reply Reply Quote 0
                                      • J
                                        Jumbosausage
                                        last edited by

                                        As soon as I put my HH5 back in and set that up as before I can get FTP working straight away, along with all the other rules I need. So It can't be the ISP. I've tried that many different config firewall/port rules in pfsense that I'm sure it has something to do with the config between the HG612 and pfsense. I've spent hours with it now and I'm close to calling it a day. I'm thinking of getting one of these http://www.draytek.com/index.php?option=com_k2&view=item&id=5240&Itemid=3810&lang=en It looks a bit more user friendly and made for the job.

                                        1 Reply Last reply Reply Quote 0
                                        • stephenw10S
                                          stephenw10 Netgate Administrator
                                          last edited by

                                          I used their v120 with adsl for a few years with great success. I wasn't aware of the v130 but I would expect it works well. However I doubt it will help with your issue. I can't believe the hg612 (especially one that's been unlocked) is doing anything by way of filtering.
                                          Are you using the same ppp login details on the HH5 and in pfSense?

                                          Incoming traffic on the WAN hits the port forwarder before the firewall so if there are no hits in the firewall it could be being forwarded incorrectly.
                                          Alternatively the port forward may be working correctly and the internal machine is not responding or maybe has changed IP address. I see you're using an alias for the internal machines, what is that resolving to?

                                          The next step here would be to check the states table to see if the incoming traffic is shown. You could also run a packet capture to check for packets on wan or lan.

                                          Steve

                                          1 Reply Last reply Reply Quote 0
                                          • DerelictD
                                            Derelict LAYER 8 Netgate
                                            last edited by

                                            @stephenw10:

                                            The next step here would be to check the states table to see if the incoming traffic is shown. You could also run a packet capture to check for packets on wan or lan.

                                            That's what I'd do next.  packet capture on WAN, look for SYN packets on tcp 80 or 21.  If they're there, capture on LAN and you will see them leaving translated.

                                            Chattanooga, Tennessee, USA
                                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.