Port forwarding headaches
-
Hi!
I've been a long term user of Smoothwall but I decided to go with pfSense. Everything went fine with installation, I got internet access and everything is peachy. But when I try to forward ports to my internal servers nothing works.
I've verified the web server is running, I can access it internally without issues, same thing with all other services (FTP, game server etc). I used the "Test Port" tool in pfSense and it reports ports are open and working.
I don't use any NAT, VPN or anything special. Internal IPs are assigned by pfSense DHCP server, and internet access and all works from all connected clients.
I tried to add a port forwarding (Firewall > Rules) and added the following data:
192.168.0.250 is the server running the web server.
The end result is:
But when trying to access the site externally (by DNS or IP) does nothing. Same goes for FTP (port 21) or anything else. I've setup some 10 different rules, but when doing a full port scan from externally nothing is open.
Is it supposed to be this difficult? It was quite straightforward in Smoothwall…
Thanks for any help!
-
Your source port range is just wrong, should be Any and not 80/443. Beyond that, you should be doing this via Firewall - NAT - Port Forwarding.
-
"10 different rules, but when doing a full port scan from externally nothing is open."
And pfsense wan is not behind a NAT.. First thing if your not seeing the traffic on pfsense wan, you can never forward it! I would guess your behind a nat and that is not sending the traffic on to pfsense. What is the IP address on pfsense wan? Does it start with 192.168.x.x, 10.x.x.x, 172.16-31.x.x ??
Sniff on your wan, undiag – do you see the traffic pfsense is suppose to forward?
-
Well everything worked fine with Smoothwall, all I did was reinstall to pfSense…
I've changed the port source to Any, still no go.
My external IP isn't 192.168.x.x or 10.x or 172.x, it's the external IP my ISP gave me (which pfSense reports too). I can ping the IP (after enabling ICMP) so it's definately connecting to pfSense.
-
Once again. You should be doing this in Firewall - NAT - Port Forwarding. Really no idea what you mean by "I don't use any NAT".
-
When I use Firewall > NAT > Port forwarding I lose all connection to the net and I have to roll back the setting before I get access again. Unless I define something wrong in the forwarding rule…
-
^ valid point.. Where is your actual forward?? You just have firewall rules.. And source is wrong as well as dok already pointed out.
You pick what port you want to forward and what private IP you want to send it too - it auto does the firewall rules.
-
^ valid point.. Where is your actual forward?? You just have firewall rules.. And source is wrong as well as dok already pointed out.
You pick what port you want to forward and what private IP you want to send it too - it auto does the firewall rules.
What do you mean? I thought the firewall rules defined that by setting a source port/address to destination port/address.
Am I missing something vital here? Any time I try to use NAT > Forward I lose connection and need to rollback to get it back.
-
Dude it take 2 seconds to create a forward..
Here you really have to only touch 3 boxes.. What port your forwarding http in this case.. What IP you want to send it to.. And that you want to send to http as well.. Vs say sending port 10,000 on you wan to 80 on private side box.
If this take you more than 5 seconds your doing it wrong!! Those are the only things you have to touch to send http to a box on pfsense lan.. It will create the firewall rule for you… It really could not be any simpler..
You mentioned "I don't use any NAT" Nonsense how would you nat that public IP your ISP gives on your wan to your private rfc1918 space?? So clearly your using nat - unless pfsense is behind a nat arleady.. Did you disable nat in pfsense? If so it would not be working if your pfsense had public on its wan.
-
Thanks, managed to find out what I did wrong. I followed this guide, but what made me think it didn't work is the fact that my entire access to the internet drops when I apply any NAT settings. If I reboot pfSense then things are up and working again, and this time the port forward does work. But why does the connection cut out entirely? I lose connection to Internet, and a few seconds later I also lose connection to pfSense Web Admin entirely.
-
I can tell you that do forwards on the fly, other changes on the fly and pretty never have to reboot pfsense nor do I loose connectivity if doing any sort of firewall rule or forward.
-
Yeah well I can't explain it either, and the whole disconnection issue was what steered me away from NAT, since whatever I did I lost connection. And I sure can't reboot every time I add or change a rule. So something is very off here.
-
what hardware are you running on, what version of psfense. What is your internet connection, dhcp cable? dsl, are you using pppoe connection?
Etc.. etc.. Without having some clue to your environment it would be impossible for me to even guess to what is going on.. All I can say is I have been using pfsense since version 1.x and have never seen that sort of thing on my installs, be it on hardware or vm.
-
What I did notice now is that the connection dropped out entirely only when the first NAT port forward was added. Once I rebooted and added more forwards the connection didn't drop out anymore. Perhaps it's a bug, or delayed reload of the service, I don't know, but I thought it was important to mention.
I am on fiber (1000/1000) (no PPPoE, just a Cat6 right into the wall :) ) and use pfSense 2.2-RELEASE (amd64).
But everything seems to work now. Thanks for all the input, I sure learned a lot more today. And very quick response as well, much appreciated!
-
fiber 1000/1000 – bastard!!! ;) heheeheh
-
Yep, and for cheaps :). Thanks to you and doktornotor for all the help!
-
look like your not the only one on fresh install 2-2 RELEASE having port forward issue.
I can't figure out why my VOIP port won't forward correctly. Was working fine on 2.1.5-RELEASE.
A reboot did not help. still not able to redirect 5060 TCP/UDP, 5090 TCP/UDP and 9000-9049 UDP
any idea what is hapenning ?
-
So did you do a clean install and try an import the forwards, or did you recreate them from scratch like your fresh install?
-
clean install since upgrade from 2.1.5 fail with mountroot issue (there is plenty of other thread about that)
the config was rebuilt by hand. No config file reuse.
i've tryed to log packets via related rules but firewall log seem in problem too (see thread in firewall section)
i'm thinking going back to 2.1.5 since NAT seem to be in trouble in 2.2 but can try some diagnostic/workaround before
-
There is no such issue. Nuke all the broken manual firewall rules you created. Create port forwards in Firewall - NAT - Port Forwarding. Click Apply. Check that Outboud NAT is at Automatic (Outbound tab). Done.
