Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Port forwarding headaches

    Firewalling
    6
    30
    4102
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mrpijey last edited by

      Hi!

      I've been a long term user of Smoothwall but I decided to go with pfSense. Everything went fine with installation, I got internet access and everything is peachy. But when I try to forward ports to my internal servers nothing works.

      I've verified the web server is running, I can access it internally without issues, same thing with all other services (FTP, game server etc). I used the "Test Port" tool in pfSense and it reports ports are open and working.

      I don't use any NAT, VPN or anything special. Internal IPs are assigned by pfSense DHCP server, and internet access and all works from all connected clients.

      I tried to add a port forwarding (Firewall > Rules) and added the following data:

      192.168.0.250 is the server running the web server.

      The end result is:

      But when trying to access the site externally (by DNS or IP) does nothing. Same goes for FTP (port 21) or anything else. I've setup some 10 different rules, but when doing a full port scan from externally nothing is open.

      Is it supposed to be this difficult? It was quite straightforward in Smoothwall…

      Thanks for any help!

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned last edited by

        Your source port range is just wrong, should be Any and not 80/443. Beyond that, you should be doing this via Firewall - NAT - Port Forwarding.

        1 Reply Last reply Reply Quote 0
        • johnpoz
          johnpoz LAYER 8 Global Moderator last edited by

          "10 different rules, but when doing a full port scan from externally nothing is open."

          And pfsense wan is not behind a NAT..  First thing if your not seeing the traffic on pfsense wan, you can never forward it! I would guess your behind a nat and that is not sending the traffic on to pfsense. What is the IP address on pfsense wan?  Does it start with 192.168.x.x, 10.x.x.x, 172.16-31.x.x ??

          Sniff on your wan, undiag – do you see the traffic pfsense is suppose to forward?

          1 Reply Last reply Reply Quote 0
          • M
            mrpijey last edited by

            Well everything worked fine with Smoothwall, all I did was reinstall to pfSense…

            I've changed the port source to Any, still no go.

            My external IP isn't 192.168.x.x or 10.x or 172.x, it's the external IP my ISP gave me (which pfSense reports too). I can ping the IP (after enabling ICMP) so it's definately connecting to pfSense.

            1 Reply Last reply Reply Quote 0
            • D
              doktornotor Banned last edited by

              Once again. You should be doing this in Firewall - NAT - Port Forwarding. Really no idea what you mean by "I don't use any NAT".

              1 Reply Last reply Reply Quote 0
              • M
                mrpijey last edited by

                When I use Firewall > NAT > Port forwarding I lose all connection to the net and I have to roll back the setting before I get access again. Unless I define something wrong in the forwarding rule…

                1 Reply Last reply Reply Quote 0
                • johnpoz
                  johnpoz LAYER 8 Global Moderator last edited by

                  ^ valid point.. Where is your actual forward??  You just have firewall rules.. And source is wrong as well as dok already pointed out.

                  You pick what port you want to forward and what private IP you want to send it too - it auto does the firewall rules.

                  1 Reply Last reply Reply Quote 0
                  • M
                    mrpijey last edited by

                    @johnpoz:

                    ^ valid point.. Where is your actual forward??  You just have firewall rules.. And source is wrong as well as dok already pointed out.

                    You pick what port you want to forward and what private IP you want to send it too - it auto does the firewall rules.

                    What do you mean? I thought the firewall rules defined that by setting a source port/address to destination port/address.

                    Am I missing something vital here? Any time I try to use NAT > Forward I lose connection and need to rollback to get it back.

                    1 Reply Last reply Reply Quote 0
                    • johnpoz
                      johnpoz LAYER 8 Global Moderator last edited by

                      Dude it take 2 seconds to create a forward..

                      Here you really have to only touch 3 boxes..  What port your forwarding http in this case..  What IP you want to send it to..  And that you want to send to http as well..  Vs say sending port 10,000 on you wan to 80 on private side box.

                      If this take you more than 5 seconds your doing it wrong!!  Those are the only things you have to touch to send http to a box on pfsense lan..  It will create the firewall rule for you… It really could not be any simpler..

                      You mentioned "I don't use any NAT"  Nonsense how would you nat that public IP your ISP gives on your wan to your private rfc1918 space??  So clearly your using nat - unless pfsense is behind a nat arleady..  Did you disable nat in pfsense?  If so it would not be working if your pfsense had public on its wan.


                      1 Reply Last reply Reply Quote 0
                      • M
                        mrpijey last edited by

                        Thanks, managed to find out what I did wrong. I followed this guide, but what made me think it didn't work is the fact that my entire access to the internet drops when I apply any NAT settings. If I reboot pfSense then things are up and working again, and this time the port forward does work. But why does the connection cut out entirely? I lose connection to Internet, and a few seconds later I also lose connection to pfSense Web Admin entirely.

                        1 Reply Last reply Reply Quote 0
                        • johnpoz
                          johnpoz LAYER 8 Global Moderator last edited by

                          I can tell you that do forwards on the fly, other changes on the fly and pretty never have to reboot pfsense nor do I loose connectivity if doing any sort of firewall rule or forward.

                          1 Reply Last reply Reply Quote 0
                          • M
                            mrpijey last edited by

                            Yeah well I can't explain it either, and the whole disconnection issue was what steered me away from NAT, since whatever I did I lost connection. And I sure can't reboot every time I add or change a rule. So something is very off here.

                            1 Reply Last reply Reply Quote 0
                            • johnpoz
                              johnpoz LAYER 8 Global Moderator last edited by

                              what hardware are you running on, what version of psfense.  What is your internet connection, dhcp cable?  dsl, are you using pppoe connection?

                              Etc.. etc.. Without having some clue to your environment it would be impossible for me to even guess to what is going on..  All I can say is I have been using pfsense since version 1.x and have never seen that sort of thing on my installs, be it on hardware or vm.

                              1 Reply Last reply Reply Quote 0
                              • M
                                mrpijey last edited by

                                What I did notice now is that the connection dropped out entirely only when the first NAT port forward was added. Once I rebooted and added more forwards the connection didn't drop out anymore. Perhaps it's a bug, or delayed reload of the service, I don't know, but I thought it was important to mention.

                                I am on fiber (1000/1000) (no PPPoE, just a Cat6 right into the wall :) ) and use pfSense 2.2-RELEASE (amd64).

                                But everything seems to work now. Thanks for all the input, I sure learned a lot more today. And very quick response as well, much appreciated!

                                1 Reply Last reply Reply Quote 0
                                • johnpoz
                                  johnpoz LAYER 8 Global Moderator last edited by

                                  fiber 1000/1000 – bastard!!! ;) heheeheh

                                  1 Reply Last reply Reply Quote 0
                                  • M
                                    mrpijey last edited by

                                    Yep, and for cheaps :). Thanks to you and doktornotor for all the help!

                                    1 Reply Last reply Reply Quote 0
                                    • C
                                      corotte last edited by

                                      look like your not the only one on fresh install 2-2 RELEASE having port forward issue.

                                      I can't figure out why my VOIP port won't forward correctly. Was working fine on 2.1.5-RELEASE.

                                      A reboot did not help. still not able to redirect 5060 TCP/UDP, 5090 TCP/UDP and 9000-9049 UDP

                                      any idea what is hapenning ?

                                      1 Reply Last reply Reply Quote 0
                                      • johnpoz
                                        johnpoz LAYER 8 Global Moderator last edited by

                                        So did you do a clean install and try an import the forwards, or did you recreate them from scratch like your fresh install?

                                        1 Reply Last reply Reply Quote 0
                                        • C
                                          corotte last edited by

                                          clean install since upgrade from 2.1.5 fail with mountroot issue (there is plenty of other thread about that)

                                          the config was rebuilt by hand. No config file reuse.

                                          i've tryed to log packets via related rules but firewall log seem in problem too (see thread in firewall section)

                                          i'm thinking going back to 2.1.5 since NAT seem to be in trouble in 2.2 but can try some diagnostic/workaround before

                                          1 Reply Last reply Reply Quote 0
                                          • D
                                            doktornotor Banned last edited by

                                            There is no such issue. Nuke all the broken manual firewall rules you created. Create port forwards in Firewall - NAT - Port Forwarding. Click Apply.  Check that Outboud NAT is at Automatic (Outbound tab). Done.

                                            1 Reply Last reply Reply Quote 0
                                            • C
                                              corotte last edited by

                                              That the way i always did

                                              i've deleted and remake those Port forward numbered of time to be sure i haven't do a mistake : still nothing

                                              even with hybrid or manual outbound rule, it does not work

                                              also, my pbx (3CX) use stun server to diagnose firewall port forward and some time in the same test it just won't connect to the stun server BUT internet is working fine and can resolve DNS query

                                              that's a really weird trouble :S

                                              1 Reply Last reply Reply Quote 0
                                              • C
                                                corotte last edited by

                                                Ok, this is clearly related to 2.2

                                                I have to explain that i run PFSense in a Xenserver 6.5 VM
                                                I stopped the 2.2 and reinstall a fresh 2.1.5 on another VM WITH THE SAME CONFIG DONE MANUALLY (no backup/restaore) and now port forwarding work as expected

                                                2.2 is installed with xentools, 2.1.5 no xentools (since not available)

                                                i guess there is two possible thing :
                                                1- Xentools giving issue
                                                2- 2.2 having weird issue with port forwarding

                                                any idea where to start for diagnostic ? i can provide config file for analysis

                                                1 Reply Last reply Reply Quote 0
                                                • johnpoz
                                                  johnpoz LAYER 8 Global Moderator last edited by

                                                  Lets think about it..  If 2.2 was having in general port forwarding issues.  I would think the boards would be LIT UP like a xmas tree..  I would of thought this would of shown up in beta, RC, etc..

                                                  But what I have seen is some weird threads where having problem win xen..  My guess is xen..

                                                  I can tell you for sure I am running on esxi, and 2.2 was running before the RC, etc..  And have had zero issue with port forwarding, etc..

                                                  To be honest I think there should be a new sticky somewhere, when posting a problem not only should you state what version your running, be it i386 or 64 but clarification on if on actual hardware or VM, if vm what software is it on, etc..

                                                  If you would of mentioned xen in your OP, I could of pointed to other threads where users having odd issues with xen.  Here is one that comes fresh to my mind.
                                                  https://forum.pfsense.org/index.php?topic=86827.0

                                                  1 Reply Last reply Reply Quote 0
                                                  • Derelict
                                                    Derelict LAYER 8 Netgate last edited by

                                                    XenServer 6.2 workaround here: https://forum.pfsense.org/index.php?topic=85797.0
                                                    It has zero to do with port forwarding.

                                                    1 Reply Last reply Reply Quote 0
                                                    • Derelict
                                                      Derelict LAYER 8 Netgate last edited by

                                                      @mrpijey:

                                                      Perhaps it's a bug

                                                      Most of the bugs in pfSense are in the Layer 8 code base.  It's pretty complicated stuff.  They try and try release after release but they just can't seem to get it right.

                                                      Glad you got it working.

                                                      1 Reply Last reply Reply Quote 0
                                                      • johnpoz
                                                        johnpoz LAYER 8 Global Moderator last edited by

                                                        ^ hehehehe yeah I would agree layer 8 is a HUGE problem..

                                                        I find layer 8 a huge PITA at work as well, it is a very complicated problem dealing with layer 8.. No matter how clear you try and code the solution - it has problems there..

                                                        1 Reply Last reply Reply Quote 0
                                                        • K
                                                          kejianshi last edited by

                                                          Yeah - My layer 8 has issues to death…

                                                          1 Reply Last reply Reply Quote 0
                                                          • C
                                                            corotte last edited by

                                                            @johnpoz:

                                                            But what I have seen is some weird threads where having problem win xen..  My guess is xen..

                                                            that make sense for my NAT issue. I probably have other issue since i have'nt enought time to do complete test

                                                            i probably found the cause in this thread : https://forum.pfsense.org/index.php?topic=85797.0

                                                            i'll try to sort that out with the solution in there.

                                                            i was testing 2.2 on my VM at home before deploying it at work on a physical machine (Lenovo RS140). Despite the highly probable Xen issue , 2.2 seem to run pretty well.

                                                            willl come back with feedback

                                                            1 Reply Last reply Reply Quote 0
                                                            • C
                                                              corotte last edited by

                                                              got some news.

                                                              it is related to xentools and freebsd 10.1 xn nic

                                                              see :
                                                              https://forum.pfsense.org/index.php?topic=85797.0
                                                              https://forum.pfsense.org/index.php?topic=86827.0

                                                              Credit goes to cmb , phadm and jpenninkhof for the solution

                                                              STEP 1 : on PfSense webconfiguration
                                                              disabling hardware checksum offloading under System>Advanced, Networking
                                                              checked :
                                                              Disable hardware checksum offload
                                                              Disable hardware TCP segmentation offload
                                                              Disable hardware large receive offload

                                                              Goal : disable Hardware offload on PfSense

                                                              STEP 2 : on XenServer Console
                                                              #xe vm-vif-list uuid=VMUUID
                                                              #xe vif-param-set uuid=VIFUUID other-config:ethtool-tx="off"
                                                              #xe vif-param-set uuid=VIFUUID other-config:ethtool-rx="off"

                                                              Goal : obtain VIF UUID of LAN and WAN of the VM and disables hardware offload

                                                              STEP 3 : Reboot VM and voila !

                                                              all works as expected
                                                              this seem to be a temporary solution i guess

                                                              1 Reply Last reply Reply Quote 0
                                                              • D
                                                                doktornotor Banned last edited by

                                                                @corotte:

                                                                got some news.

                                                                it is related to xentools and freebsd 10.1 xn nic

                                                                1 Reply Last reply Reply Quote 0
                                                                • First post
                                                                  Last post

                                                                Products

                                                                • Platform Overview
                                                                • TNSR
                                                                • pfSense
                                                                • Appliances

                                                                Services

                                                                • Training
                                                                • Professional Services

                                                                Support

                                                                • Subscription Plans
                                                                • Contact Support
                                                                • Product Lifecycle
                                                                • Documentation

                                                                News

                                                                • Media Coverage
                                                                • Press
                                                                • Events

                                                                Resources

                                                                • Blog
                                                                • FAQ
                                                                • Find a Partner
                                                                • Resource Library
                                                                • Security Information

                                                                Company

                                                                • About Us
                                                                • Careers
                                                                • Partners
                                                                • Contact Us
                                                                • Legal
                                                                Our Mission

                                                                We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                                                Subscribe to our Newsletter

                                                                Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                                                © 2021 Rubicon Communications, LLC | Privacy Policy