Port Forwarding is failing



  • I'm attempting to port forward using a newly installed pfsense 2.2 VM.

    Setup:
    Gateway(162.70.42.1) –> vmware standard vswitch --> pfsense vm (162.70.42.247/WAN)

    I'm attempting to add a port forwading rule on the pfsense vm WAN interface (162.70.42.247) to another host on that same subnet 162.70.42.69, but its failing.  I've confirmed that the 162.70.42.69 host is ping'able, tracert'able and the port is open on the host side (using 'Diagnostics --> 'Test Port' in pfsense webgui).

    I've added an associated Firewall rule along with the Port Forwarding rule.  I've read the port forwarding troubleshooting guide (https://forum.pfsense.org/index.php?topic=6630.0) I've configured the pfsense WAN interface with the appropriate 162.70.42.1 GW address.

    What am I missing?




  • Port-forwarding is used with NAT, but you are specifying a public IP for the destination. Is the firewall transparent? You need to provide more details- IP of LAN side of the firewall, actual IP of the server, etc. A diagram would be helpful.



  • A port-forward translates from pfSense WAN to a machine on LAN.  You appear to have your WAN on the same subnet as the machine you're trying to forward to.  That won't work.  Why would you want to route through pfSense when they can go direct to that host?



  • Hi dotdash, thanks for your reply.

    @dotdash:

    Port-forwarding is used with NAT, but you are specifying a public IP for the destination.

    In this case, 162.70.42.0/24 is an internal/private IP addressing schema.  Its just a subnet of our internal network.

    @dotdash:

    Is the firewall transparent?

    I don't know.

    @dotdash:

    You need to provide more details- IP of LAN side of the firewall, actual IP of the server, etc.

    There is no LAN side of this firewall.  There is only one interface, the WAN, which has the address of 162.70.42.247/24.  This firewall isn't the gateway for the 162.70.42.0 network. 
    The gateway is 162.70.42.1/24.  The ip address of the NAT IP/server is 162.70.42.69/24
    @dotdash:

    A diagram would be helpful.

    Its not complex enough for a diagram, I don't think.  I drew a quick word diagram in my initial post.  I'm asking the firewall to port forward to another host on the SAME SUBNET, via the only interface, WAN.  Again, there is no LAN interface.



  • @KOM:

    A port-forward translates from pfSense WAN to a machine on LAN.  You appear to have your WAN on the same subnet as the machine you're trying to forward to.  That won't work.  Why would you want to route through pfSense when they can go direct to that host?

    Thanks, KOM, for your reply.  You're understanding the question correctly.  I'm trying to forward to a host on the same subnet as the pfSense box.

    Why would I want to do route through pfSense? I'm trying to reach the NAT IP from outside the 162.70.42.0 subnet.


  • Banned

    @ryanlraines:

    In this case, 162.70.42.0/24 is an internal/private IP addressing schema.  Its just a subnet of our internal network.

    This is absolutely invalid.

    
    NetRange:       162.70.0.0 - 162.70.255.255
    CIDR:           162.70.0.0/16
    NetName:        CGI-US
    NetHandle:      NET-162-70-0-0-1
    Parent:         NET162 (NET-162-0-0-0-0)
    NetType:        Direct Assignment
    OriginAS:       
    Organization:   CGI Group Inc. (CGIGR-2)
    RegDate:        1992-08-17
    Updated:        2014-10-27
    Ref:            http://whois.arin.net/rest/net/NET-162-70-0-0-1
    
    

    Kindly stick to RFC1918 private ranges or ones that you actually own and have routed to you. Do not steal other people's IPs!!!

    Other than that, what are you forwarding there when it's on the same network? Plus, you only have WAN? And the hosts are hanging in the air?



  • @doktornotor:

    @ryanlraines:

    In this case, 162.70.42.0/24 is an internal/private IP addressing schema.  Its just a subnet of our internal network.

    This is absolutely invalid.

    
    NetRange:       162.70.0.0 - 162.70.255.255
    CIDR:           162.70.0.0/16
    NetName:        CGI-US
    NetHandle:      NET-162-70-0-0-1
    Parent:         NET162 (NET-162-0-0-0-0)
    NetType:        Direct Assignment
    OriginAS:       
    Organization:   CGI Group Inc. (CGIGR-2)
    RegDate:        1992-08-17
    Updated:        2014-10-27
    Ref:            http://whois.arin.net/rest/net/NET-162-70-0-0-1
    
    

    Kindly stick to RFC1918 private ranges or ones that you actually own and have routed to you. Do not steal other people's IPs!!!

    Other than that, what are you forwarding there when it's on the same network? Plus, you only have WAN? And the hosts are hanging in the air?

    doktornotor, thanks for the reply.

    Absolutely invalid? Not really.  162.70.40.0/24 is a subnet of 162.70.0.0./16 and sits behind a firewall.  So its not public facing.  But I understand your point.

    Regardless of the IP scheme/space/ownership, lets make believe were were dealing with a 192.168.0.0/24 network here, if that helps to better understand my question.  I'm still trying to forward from pfsense to another host on the same subnet.  I think thats the important part of my question.


  • Banned

    It does not matter! This is completely wrong! What happens when you need to reach one of those hosts on the network you have hijacked!?

    Otherwise… kindly draw the diagram. Your description doesn't make any sense. An "appliance" with "only WAN" can serve like DNS, DHCP, NTP server... It cannot forward packets anywhere, since there's no place to forward anything.



  • You probably want a transparent firewall. Do some research into that. The configuration you have seems problematic at the least.



  • So its not public facing.  But I understand your point.

    You realize that by default pfSense WAN is set to ignore private address space?  It's not a good idea to use public IP space for internal networks.  Real bad idea, especially when the existing private IP space is massive.

    Screencaps of your WAN/LAN interface details and WAN/LAN firewall rules to go any farther.


  • Banned

    @KOM:

    Screencaps of your WAN/LAN interface details and WAN/LAN firewall rules to go any farther.

    He already said there's no LAN. The pfsense is apparently stuck there as a sore thumb, doing god knows what. Some heating/moving air perhaps.



  • He already said there's no LAN.

    I thought you were joking until I went back and reread everything.  No joke.  Part of we wonders if we're being trolled here.


  • LAYER 8 Global Moderator

    Why would you want to redirect this, why don't you just directly access 162.70.42.69

    Even if you managed to forward the traffic, the answer from the host you redirected too would be out of state whatever sent the traffic to pfsense in the first place.. I would assume there a firewall between the actual source of the traffic and pfsense that you have with just a wan interface.

    Why is you think you want to redirect vs just accessing?



  • Really need to describe your setup a bit more. It doesn't sound like you want or need to do any port forwarding here. But it's not clear what you're trying to accomplish.


Log in to reply