Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Problem in setting port forwarding to a PC inside the LAN from the internet.

    Scheduled Pinned Locked Moved NAT
    6 Posts 3 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      victang7300
      last edited by

      Greetings everyone. I have setup a pfSense server as a Xen VM with 2 bridges, 1 to the internet and 1 to LAN as below:

      I would like to let myself connect to the Xen server (192.168.100.158) from the internet by setting port forwarding on the pfSense and open port 22 in its firewall rule, but it seems not working.

      Now I can see port 22 is open to the internet by testing with port scanner. But if I connect it with SSH client, it keeps time out and cannot connect.

      Please kindly help to advice if I have missed any important steps, thank you very much for your help.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • V
          victang7300
          last edited by

          Thank you very much for the link, I have followed the instructions and try to fix the issue, but without any luck.

          I would like to know which kind of keywords I need to check in order to confirm if there is any traffic related to port 22 really going through the firewall? I am guessing the port is in fact not opening after the configuration is set. Is there any command to force the pfSense system to refresh and update its port forward and firewall rules? Thank you,

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Stop blaming pfSense and you'll be well on your way to solving your problem.  Post what you've done.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • V
              victang7300
              last edited by

              Yes, the step I have done is as below:

              1. I have setup a pfSense as a HVM in my Xen server with easy install option, and then setup the basic settings such as the DNS, WAN and LAN interface with the Setup wizard on the Web interface.
              The WAN can get the internet IP from the ISP. And I have set the LAN IP as 192.168.100.1. My machines in the network 192.168.100.* can reach the pfSense Gateway and can reach the Internet normally.

              2. Then I have added the Aliases of my hosts including the Xen server (192.168.100.158) and the pfSense Gateway (192.168.100.1), in the page "Firewall" -> "Aliases".

              3. Afterwards, I setup the NAT port forwarding rule in the page "Firewall" -> "NAT" and saved, the details is as below:
              Disable: NOT checked
              No RDR: NOT checked
              Interface: WAN
              Protocol: TCP
              Source: Not specified
              Destination: WAN address
              Destination port range: From "SSH" to "SSH"
              Redirect target IP: "Xen" (Alias)
              Redirect target port: "SSH"
              Description: "SSH to Xen"
              No XMLRPC Sync: NOT checked
              NAT reflection: "Use system default"
              Filter rule association: "Create new associated filter rule"

              4. I changed the setup on page "System" -> "Advanced" -> "Firewall and NAT" on the following points:
              NAT reflection mode for port forwards: "Enable (Pure NAT)"
              Enable NAT Reflection for 1:1 NAT: CHECKED
              Enable automatic outbound NAT for Reflection: CHECKED

              5. I have add a new Firewall rules on page "Firewall" -> "Rules" for WAN with details:
              Action: "Pass"
              Disabled: NOT checked
              Interface: WAN
              TCP/IP Version: IPv4
              Protocol: TCP
              Source: "Any"
              Destination: "Any"
              Destination port range: From "SSH" to "SSH"
              Log: NOT checked
              Description: "SSH port Anti-block"

              6. I have reset states with "Diagnostics" -> "Show States".

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                So you say in 4 you created port forward and let it create the associated rule.  Then in 5 you say you created a new rule with

                Destination: "Any"

                That is not correct why would you create a rule with any as dest on your wan??  When you create a forward, by default pfsense will create the required firewall wan rule to allow that nat/forward to work.

                Post up your wan rules and your port forwards.. And we can see have exactly..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.