Problem with NAT. Can't forward port from WAN to LAN.

farion

Greetings.

Tried some free router distributives, and PfSense few month ago, and chose pfSense for use in my small office (20+ users) to replace old ISA Server which is end of support. The problem is, I still cant configure NAT.
The Internet from LAN works fine, and I can ping external static IP (created rule allowing ICMP of WAN), but Port Forwarding on WAN isn't working.

Screens of created rules:

NAT Forward:
https://www.dropbox.com/s/n9yf2w71dmkx65k/forward1.png?dl=0
And linked WAN rules:
[https://www.dropbox.com/s/spn7zqat7ym9t22/forward2.png?dl=0]![](https://www.dropbox.com/s/spn7zqat7ym9t22/forward2.png?dl=0 Port scan from external net shows that all ports are closed [b]Some logs screen:[/b] [url]https://www.dropbox.com/s/4pqol26w31mc6ok/logs.png?dl=0[/url] [url]https://www.dropbox.com/s/yjro31k42i8zz6i/logs2.png?dl=0[/url] All incoming IPv4 packets bloked, reason: [b]@5 block drop in log inet all label )Yes, it's the default block rule for WAN. It seems to be the last priority rule, forwarding rules created and must execute first< (basics of networking, yes), but they are not working.

Yes, I had RTFM [url]Port Forward Troubleshooting[/url], but it is not helped.Tried google forum, wiki, etc., and my brain is overheated, but i cant find solution :c

I really like pfSense in comparison with other network distributives, and I dont wanted to use monowall or something instead of IT, but with my mediocre experience with linux and networking still can't understand what is wrong. But with my mediocre experience with linux and networking still can't understand what is wrong. Hope for the Community support.

[u][b]upd1:[/b][/u]

Screens of [b]WAN interface configure[/b]
[url]https://www.dropbox.com/s/gkjfirjd5hyhms0/WAN.png?dl=0[/url]
And [b]System: Advanced: Firewall and NAT[/b]
[url]https://www.dropbox.com/s/ppcl3xinpbnsc4e/FireShotNATscr.png?dl=0[/url]

Hope it will help. If more configs needed please elaborate." />](http://[img)

Derelict

Try changing the destination address in your NAT rules from any to WAN address.

![Screen Shot 2015-01-19 at 5.41.33 AM.png](/public/imported_attachments/1/Screen Shot 2015-01-19 at 5.41.33 AM.png)
![Screen Shot 2015-01-19 at 5.41.33 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-01-19 at 5.41.33 AM.png_thumb)

farion

Direlict, already tried it. Still not working :c.

Internal web server 100% works, can see the web site from the internal network and another router that currently runs, but not from pfsense wan net.

Derelict

Then something else is wrong. The correct configuration is for the destination IP to be WAN address. I can assure you port forwards work just fine.

Are you testing this from inside or outside your network?

Derelict

None of those log entries are for traffic to ports you're trying to forward. Just looks like your firewall doing its job blocking unsolicited inbound traffic.

farion

Сhecked both from internal and from external net, from varios IP and providers. Still cant see the web server, or other resourses from external.

Suggested that the problem might be in the installed module squid3 and squidGuard, so I deleted this packages. Maybe because of this? But dont know how to diagnostic such thing :c

Maybe some pfctl listings can help?

[2.1.5-RELEASE][root@pfs.rcn.local]/cf/conf(27): pfctl -sn
no nat proto carp all
nat-anchor "natearly/*" all
nat-anchor "natrules/*" all
nat on xl0 inet from 10.0.1.0/24 port = isakmp to any port = isakmp -> 213.17*****2 port 500
nat on xl0 inet from 127.0.0.0/8 port = isakmp to any port = isakmp -> 213.17*****2 port 500
nat on xl0 inet from 10.0.1.0/24 to any -> 213.17*****2 port 1024:65535
nat on xl0 inet from 127.0.0.0/8 to any -> 213.17*****2 port 1024:65535
no rdr proto carp all
rdr-anchor "relayd/*" all
rdr-anchor "tftp-proxy/*" all
rdr on xl0 inet proto tcp from any to any port = ftp -> 10.0.1.20
rdr on re0 inet proto tcp from any to 213.17#####16/29 port = ftp tag PFREFLECT -> 127.0.0.1 port 19000
rdr on xl0 inet proto tcp from any to any port = smtp -> 10.0.1.21
rdr on re0 inet proto tcp from any to 213.17#####16/29 port = smtp tag PFREFLECT -> 127.0.0.1 port 19001
rdr on xl0 inet proto tcp from any to 213.17*****2 port = http -> 10.0.1.20
rdr on xl0 inet proto tcp from any to 213.17*****2 port = https -> 10.0.1.20
rdr on re0 inet proto tcp from any to 213.17*****2 port = http tag PFREFLECT -> 127.0.0.1 port 19002
rdr on re0 inet proto tcp from any to 213.17*****2 port = https tag PFREFLECT -> 127.0.0.1 port 19003
rdr-anchor "miniupnpd" all

I would suggest that this is a problem is in hardware, but access to the Internet through the gateway is operating normally.

muswellhillbilly

Check the routing on your target servers (10.10.1.20 and 10.10.1.21). They should be set to use the pfSense as the default gateway. Otherwise, traffic will be forwarded through the firewall and responses will be lost when the server(s) try to send the traffic back through a different route/gateway.

farion

@muswellhillbilly:

Check the routing on your target servers (10.10.1.20 and 10.10.1.21). They should be set to use the pfSense as the default gateway.

THIS!
And yes, it's my stupidest fault.

Just start test FTP server on my PC, forwarding works fine! Thanks for help!
Problem solved, topic can be closed.

Derelict

Third time this week.

tarmenel

Just starting out and having a similar issue.
I can see on the Firewall Logs that I am trying to connect to the server.
You mentioned that the default gateway of the destination server needs to be pfsense.
Is this the IP you are refering to of the pfsense server?

Derelict

The default gateway is usually the IP address of the router's LAN interface unless you have multiple routers, a layer 3 switch, or something else outside the normal home setup.

Without it set like this the inside host doesn't have access to the internet.

In the diagram in my sig, Host A1's default gateway needs to be 172.26.0.1.

edmund

I'm having a similar problem, I have a web server on the LAN (192.168.0.8 ) and it's reachable from anywhere on the LAN but the NAT rule doesn't appear to allow the outside world to see it on 68.224.223.183. I've enabled logging on the rule that the NAT redirect created but it never seems to catch anything coming in through the WAN.

I have a rule on the LAN side to push everything from 192.168.0.8 to the same WAN gateway with the redirect, and that logs regular DNS traffic from 192.168.0.8 to the world through the correct gateway so I know that the LAN side logging works and traffic is going out of the same net that it should be coming in through.

I'm wondering if the NAT redirect somehow bypasses the logging switch but that seem unlikely.

I have to be missing something - I've been through all the Port Forward Troubleshooting docs and everything appears obvious and OK, I'll read though the 2.2 manual tonight for more clues.

Derelict

@edmund:

I'm having a similar problem, I have a web server on the LAN (192.168.0.8 ) and it's reachable from anywhere on the LAN but the NAT rule doesn't appear to allow the outside world to see it on 68.224.223.183. I've enabled logging on the rule that the NAT redirect created but it never seems to catch anything coming in through the WAN.

Post up your NAT rule and WAN firewall rules

Should be:

If WAN
Proto TCP
Src Addr *
Src Port *
Dst Addr: WAN address (Assuming this is the IP specified below, else the proper VIP)
Dst Port: 80
NAT IP: 192.168.0.8
NAT Port: 80

The corresponding firewall rule on WAN should pass tcp port 80 source any dest 192.168.0.8

I have a rule on the LAN side to push everything from 192.168.0.8 to the same WAN gateway with the redirect, and that logs regular DNS traffic from 192.168.0.8 to the world through the correct gateway so I know that the LAN side logging works and traffic is going out of the same net that it should be coming in through.

That will only matter for connections ORIGINATING FROM 192.168.0.8. It has nothing to do with return traffic from the web server for states that were created when the connections came from outside WAN.

If you put that in place only to try to fix this port forward, I'd get rid of it.

I'm wondering if the NAT redirect somehow bypasses the logging switch but that seem unlikely.

I have to be missing something - I've been through all the Port Forward Troubleshooting docs and everything appears obvious and OK, I'll read though the 2.2 manual tonight for more clues.

edmund

Thanks - I have fixed it after reading the 2.2 manual (worth every penny of the gold subscription by the way) - the problem appears to be solved by creating a Virtual IP assigned to the address that I wanted to NAT into the LAN. Deleting and then recreating the NAT rule gave me the option of using the VIP address as the WAN destination … and voila! It works!

Network wrangling is not my day job so my guess at what was happening may not be correct but I'll post what I think was happening...

The firewall was on 68.224.223.179 but I was trying to redirect 68.224.223.183 - the clue was that the firewall log never showed anything coming in - reading the manual I started to see that the pfSense address is just that, a single IP address and the packets that I wanted to NAT were never arriving on that address. So they never got logged of course.

My thinking originally was thrown off because I have OPT1 bridged with the pfSense WAN address and a server on OPT1 works fine - but then it's bridged on the WAN side so it would wouldn't it?

Thanks for taking the time to look at the problem - I appreciate all the help that I've received here.

tarmenel

Thank you. Thank you. Thank you. Thank you. Thank you. Thank you.
You just solved my issue with the Virtual IP.
I've spent weeks trying to get this working.

wwatanabe

Sorry if I can't post my question here, but I have a similar problem. I'm using PFSense 2.1.5 and it working in all other sites with NAT, MultiWan, etc. But now we have a customer where it's not working.

"Yes, I had RTFM Port Forward Troubleshooting, but it is not helped.Tried google forum, wiki, etc., and my brain is overheated, but i cant find solution :c"

Cenario:

MODEM in Bridge Mode -> (WAN: VALID IP) PFSENSE (LAN: 192.168.10.252) -> LAN -> HOST (IP: 192.168.10.251)

NAT
Interface: WAN
Protocol: TCP/UDP
DST: WAN_Address
DST Port: 43390
Redirect: 192.168.10.251
Redirect Port: 3389
Create new associated filter rule

WAN
Pass
Interface: WAN
TCP/UDP
From: Any
DST: 192.168.10.251
DST Port: 3389

LAN
Allow everything from LAN NET to ANY.

===================

I tried with other NAT but no one works. VPN also don't work in this installation. I've tried with 2 different ISPs, one with Dynamic Address and other with fixed IP. All of them in bridge and not blocking services. I've tried with other Router and it works.

===================

I run a TCPDUMP in on of our PFsense where NAT is working and I have:

http://pastebin.com/pJCBgX6x

There are a return from PFSense IP when communication.

On this PFSense where NAT doesn't work the TCPDUMP shows:

tcpdump -ni igb0 | grep 43390
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb0, link-type EN10MB (Ethernet), capture size 96 bytes
22:55:12.593966 IP 177.143.120.78.35814 > 200.200.200.200.43390: Flags [ S ], seq 1345026210, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
22:55:15.591285 IP 177.143.120.78.35814 > 200.200.200.200.43390: Flags [ S ], seq 1345026210, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
22:55:21.585046 IP 177.143.120.78.35814 > 200.200.200.200.43390: Flags [ S ], seq 1345026210, win 8192, options [mss 1460,nop,nop,sackOK], length 0

There are no return from host.

=================================

I've tried everything. Inicially I'm using LoadBalance and two links, now I disabled the second link, delete LoadBalance and the problem persist.

Any help ?

========================

Derelict

Check the default gateway on 192.168.10.251
Check the software firewall on 192.168.10.251

wwatanabe

Thanks for fast reply.

I already did it. The gateway is pointing to 192.168.10.252 wich is the LAN IP of PFSense
Firewall Disabled.

The RDP access work fine from LAN.

Derelict

Working from LAN means nothing. Check the firewall on the host to be sure it allows connections from OTHER THAN LAN.

wwatanabe

The Firewall on Host is disabled.

The Antivirus is disabled.

I also tried with other Windows Server on the network, same problem.

And tried with other service (DVR) in other host, same problem.

Thanks for helping !
Sorry for my poor english.

Derelict

Well, there's not much else to a port forward, so it has to be something. Does tcpdump on LAN show the SYNs going from 177.143.120.78 to 192.168.10.251:3389? What states are created? (Diagnostics > States).

Load sharing… Are you sure you have the port forward on the interface that has the IP specified? Are the clients connecting to the right interface?

wwatanabe

I'm new with PFSense and TCPDump, sorry if it's not what you ask.

I Run TCPDump and try to connect with RDP.

==================
em1 -> LAN

[2.1.5-RELEASE][root@host]/root(14): tcpdump -ni em1 | grep 192.168.10.251.3389
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 96 bytes
23:36:44.807796 IP 177.143.120.78.45783 > 192.168.10.251.3389: Flags [ S ], seq 3165976847, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
23:36:44.807877 IP 192.168.10.251.3389 > 177.143.120.78.45783: Flags [S.], seq 3448840707, ack 3165976848, win 16384, options [mss 1460,nop,wscale 0,nop,nop,sackOK], length 0
23:36:44.832998 IP 177.143.120.78.45783 > 192.168.10.251.3389: Flags [.], ack 1, win 4380, length 0
23:36:44.833113 IP 192.168.10.251.3389 > 177.143.120.78.45783: Flags [R], seq 3448840708, win 0, length 0
23:36:44.839389 IP 177.143.120.78.45783 > 192.168.10.251.3389: Flags [P.], ack 1, win 4380, length 19
23:36:44.839444 IP 192.168.10.251.3389 > 177.143.120.78.45783: Flags [R], seq 3448840708, win 0, length 0

======================

[2.1.5-RELEASE][root@macfw001.macco.local]/root(12): tcpdump -ni em1 | grep 177.143.120.78
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 96 bytes
23:35:59.469877 IP 177.143.120.78.46898 > 192.168.10.251.3389: Flags [ S ], seq 1760568614, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
23:35:59.469985 IP 192.168.10.251.3389 > 177.143.120.78.46898: Flags [S.], seq 408005352, ack 1760568615, win 16384, options [mss 1460,nop,wscale 0,nop,nop,sackOK], length 0
23:35:59.492434 IP 177.143.120.78.46898 > 192.168.10.251.3389: Flags [.], ack 1, win 4380, length 0
23:35:59.492551 IP 192.168.10.251.3389 > 177.143.120.78.46898: Flags [R], seq 408005353, win 0, length 0
23:35:59.505291 IP 177.143.120.78.46898 > 192.168.10.251.3389: Flags [P.], ack 1, win 4380, length 19
23:35:59.505347 IP 192.168.10.251.3389 > 177.143.120.78.46898: Flags [R], seq 408005353, win 0, length 0
23:36:00.260803 IP 177.143.120.78.33622 > 192.168.10.251.59387: UDP, length 97
23:36:00.289429 IP 177.143.120.78.33622 > 192.168.10.251.59387: UDP, length 40
23:36:00.289537 IP 192.168.10.251.59387 > 177.143.120.78.33622: UDP, length 52
23:36:05.662522 IP 177.143.120.78.39432 > 192.168.10.251.3389: Flags [ S ], seq 871328353, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
23:36:05.662592 IP 192.168.10.251.3389 > 177.143.120.78.39432: Flags [S.], seq 939867809, ack 871328354, win 16384, options [mss 1460,nop,wscale 0,nop,nop,sackOK], length 0
23:36:05.684492 IP 177.143.120.78.39432 > 192.168.10.251.3389: Flags [.], ack 1, win 4380, length 0
23:36:05.684594 IP 192.168.10.251.3389 > 177.143.120.78.39432: Flags [R], seq 939867810, win 0, length 0
23:36:05.691017 IP 177.143.120.78.39432 > 192.168.10.251.3389: Flags [P.], ack 1, win 4380, length 19
23:36:05.691078 IP 192.168.10.251.3389 > 177.143.120.78.39432: Flags [R], seq 939867810, win 0, length 0
^C189 packets captured
191 packets received by filter
0 packets dropped by kernel

=======================

There are just a LAN interface, it's connected in the LAN Switch and all Hosts are surfing ok, accessing PFSense as gateway and Proxy/Squid/SquidGuard is working fine.

STATES with 177.143.120.78 (Filtered)

tcp 200.200.200.200:40022 <- 177.143.120.78:48036 ESTABLISHED:ESTABLISHED
udp 177.143.120.78:33622 <- 192.168.10.251:59387 MULTIPLE:MULTIPLE
udp 192.168.10.251:59387 -> 200.200.200.200:30913 -> 177.143.120.78:33622 MULTIPLE:MULTIPLE
tcp 200.200.200.200:40443 <- 177.143.120.78:36373 TIME_WAIT:TIME_WAIT
tcp 200.200.200.200:40443 <- 177.143.120.78:42641 ESTABLISHED:ESTABLISHED
tcp 200.200.200.200:40443 <- 177.143.120.78:49046 TIME_WAIT:TIME_WAIT
tcp 200.200.200.200:40443 <- 177.143.120.78:46285 ESTABLISHED:ESTABLISHED

wwatanabe

http://imgur.com/a/c5sDz

Image with the Rule and NAT.

Derelict

I guess I give up. I could do the same port forward 1000 times and it would work every time.

Your network is in an extremely insecure state right now.

Derelict

It looks like the NAT is working, to me. No idea why you can't establish a session.

wwatanabe

I put the network in this open situation for testing this NAT problem.

Thanks a lot for you help. I think I'll try to reinstall PFSense.

Regards,

Wellington

johnpoz

"23:35:59.492551 IP 192.168.10.251.3389 > 177.143.120.78.46898: Flags [R], seq 408005353, win 0, length 0"

Sure looks like box your trying to rdp to, and was correctly forwarded by pfsense is sending RESET

So what does that have to do with pfsense?? Why don't you download the sniff and open it in wireshark.. But you need to look on the box to see why its sending RESET!!

Derelict

Probably disallowing connections from foreign networks but he doesn't want to listen. "It works fine from LAN."

tom-- 1

Hi farion

Your dropbox-links are annoying, because they are no longer available - and therefore other users can not benefit from this post: your pictures are missing now :-(

It would help if you just attach pictures to your posts as other users are doing.

Thanks a lot in advance,
kind regards,
Tom