Not forwarding back packets through NAT firewall



  • I have a pfSense box setup where my WAN interface (em0) is set up in my local network (192.168.1.100) and my LAN interface (em1) is a private network of its own (10.0.0.1). The end goal is to have the 10.0.0.x network as private malware lab where devices on that network cannot talk to anything on the 192.168.1.x network directly. Though, I would like to punch holes in the pfSense firewall to allow traffic from 192.168.1.x network to access services in the private network, such as FTP, HTTP, SMB, SSH, etc. So if I FTP to 192.168.1.100 (WAN interface) then it'll route though to the FTP server running on a device internal to 10.0.0.x. Currently I can see that my FTP server gets a TCP SYN packet, but nothing else happens. Note that this is happening for all services I try. Even if I just punch open a random port and use ncat on both ends, my connection doesn't establish and times out.

    And I can see some FTP traffic through pfSense with tcpdump.

    Here's my NAT port forwarding rules (they also have an associated filter rule).

    And also if it's helpful, my LAN firewall rules as well.

    I thought that maybe there was an error with my blocking rules to block 192.168.1.x traffic from the 10.0.0.x network, but I have that rule disabled. I'm at a total loss and don't understand what is going wrong, so any help would be super appreciated!

    Also note that on both my LAN and WAN interfaces, I'm not blocking private or bogon networks.


  • Netgate

    Currently I can see that my FTP server gets a TCP SYN packet, but nothing else happens.

    Then the problem is on your FTP server.  Local firewall?  Is FTP even running?



  • Can we see your WAN rules to verify that they match your port forwards?



  • @Derelict:

    Currently I can see that my FTP server gets a TCP SYN packet, but nothing else happens.

    Then the problem is on your FTP server.  Local firewall?  Is FTP even running?

    FTP is running, I can connect to it from boxes in my 10.0.0.x range. No local firewall running. But even so, I'm trying with more than just FTP.

    @KOM:

    Can we see your WAN rules to verify that they match your port forwards?

    I'm assuming this is what you mean regarding WAN rules?



  • FTP can be funny and I wouldn't recommend you test against it for now.  You said you had an SSH server running on LAN, but I don't see any WAN rule that allows TCP 22.  Perhaps you could add that rule and then try again with your SSH server.



  • @KOM:

    FTP can be funny and I wouldn't recommend you test against it for now.  You said you had an SSH server running on LAN, but I don't see any WAN rule that allows TCP 22.  Perhaps you could add that rule and then try again with your SSH server.

    I added in SSH. There's a lot going on in this screenshot… The CMD window is showing that my Windows 7 VM is in the 10.0.0.x range (10.0.0.101). It has Putty running in it to show that it's connecting to my Kali Linux box at 10.0.0.199, showing SSH is enabled and working. Then I have another putty screen on my computer in my home range (192.168.1.130) trying to SSH through pfsense (192.168.1.100) and it not working.



  • Hmm.  Did you also add your TCP 22 rule to WAN?  Are you running any extra packages like Snort or pfBlocker?  Which version of pfSense?  This should just work.



  • @KOM:

    Hmm.  Did you also add your TCP 22 rule to WAN?  Are you running any extra packages like Snort or pfBlocker?  Which version of pfSense?  This should just work.

    No extra packages, straight up default install besides configuring interfaces and the firewall rules. pfsense 2.2.2-RELEASE (amd64).

    Here are my WAN rules.



  • Anything in Status - System logs - Firewall when you run your tests?  This is literally dead-simple.  Any particular reason you're not using 2.2.4?  Not that I'm aware of any such issue in 2.2.2, but I always prefer to debug on current versions so you aren't chasing ghosts that have already been fixed in updated versions.



  • @KOM:

    Anything in Status - System logs - Firewall when you run your tests?  This is literally dead-simple.  Any particular reason you're not using 2.2.4?  Not that I'm aware of any such issue in 2.2.2, but I always prefer to debug on current versions so you aren't chasing ghosts that have already been fixed in updated versions.

    Right? I figured it'd be super easy to do, just not sure why it's not. I'm only using 2.2.2 because that's what my ISO is when I installed.

    I cleared the firewall logs and then ran my FTP and SSH tests, and nothing is really showing up.



  • Are you doing this on physical machines or virtual machines?



  • @KOM:

    Are you doing this on physical machines or virtual machines?

    pfsense and everything in the 10.0.0.x network would be virtual machines under the same host. 192.168.1.x are all physical. Here's my network configuration on the ESX host.


  • Netgate

    @chiggins:

    @Derelict:

    Currently I can see that my FTP server gets a TCP SYN packet, but nothing else happens.

    Then the problem is on your FTP server.  Local firewall?  Is FTP even running?

    FTP is running, I can connect to it from boxes in my 10.0.0.x range. No local firewall running. But even so, I'm trying with more than just FTP.

    It doesn't matter.  You said the FTP server receives the SYN and nothing else happens.  There is nothing your firewall can do to make your FTP server return a SYNACK.

    So either I misunderstood what you were saying or you're chasing phantoms in your firewall when you should be looking at the server.



  • @Derelict:

    @chiggins:

    @Derelict:

    Currently I can see that my FTP server gets a TCP SYN packet, but nothing else happens.

    Then the problem is on your FTP server.  Local firewall?  Is FTP even running?

    FTP is running, I can connect to it from boxes in my 10.0.0.x range. No local firewall running. But even so, I'm trying with more than just FTP.

    It doesn't matter.  You said the FTP server receives the SYN and nothing else happens.  There is nothing your firewall can do to make your FTP server return a SYNACK.

    So either I misunderstood what you were saying or you're chasing phantoms in your firewall when you should be looking at the server.

    Well, true. But I'm still getting the same results with SSH as well, no connection is being made. There's no host based firewall, and computers in the same network can make connections, so I'm guessing it's something within pfsense that's not working.


  • Netgate

    Dude.  If you saw the SYN go to the server and nothing came back out IT'S NOT PFSENSE!

    Likely cause 1: There is a local firewall on the server. (you don't see the SYNACK because the server is dropping the SYN)

    Likely cause 2: pfSense is not the default gateway on the server. (you don't see the SYNACK because it's going out another interface)

    https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting



  • @Derelict:

    Dude.  If you saw the SYN go to the server and nothing came back out IT'S NOT PFSENSE!

    Likely cause 1: There is a local firewall on the server. (you don't see the SYNACK because the server is dropping the SYN)

    Likely cause 2: pfSense is not the default gateway on the server. (you don't see the SYNACK because it's going out another interface)

    https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

    1. There's no firewall on the machine. No iptables rules. Nada. Other machines inside the network can access FTP/SSH/ncat on the machine.
    2. If you look at the following screenshot, you'll see that pfsense (10.0.0.1) is the default route and gateway on the FTP/SSH machine I'm trying to test on.


  • Netgate

    Don't know then.  If the SYN is getting to the server and no SYNACK is coming out, it's not the firewall.  It sent the SYN like it's supposed to.



  • The question now is, is the SYNACK from server being blocked, or is it not even being sent?  Where are you doing your packet capture?  On one of pfSense's interfaces or the server?  Do you know that the server is receiving the initial SYN at all?



  • @KOM:

    The question now is, is the SYNACK from server being blocked, or is it not even being sent?  Where are you doing your packet capture?  On one of pfSense's interfaces or the server?  Do you know that the server is receiving the initial SYN at all?

    If you take a look at the images in my first post, you'll see one with Wireshark running, and another with two Putty instances. Wireshark is running on my Kali Linux box which is where the FTP server is living. From there you can see the SYN being accepted on the box, but no SYNACK being sent. The two Putty instances are SSH to the pfsense box, and have tcpdump running on both the WAN and LAN interfaces looking at port 21. There's some traffic going through there as you can see.



  • This just gets weirder and weirder.  If you're doing the capture on the server itself, and you can see the incoming SYN from the client but no corresponding SYNACK from the server, then pfSense has nothing to do with it.  Are you absolutely positive that you don't have some firewall on the box that is refusing to talk to anything non-local?


  • Rebel Alliance Global Moderator

    Agree with KOM on that for sure.. If your sniffing on the actual server and you see a syn and no syn,ack back then that has nothing to do with anything other than that server.  Be it a firewall that never let the syn get to the application, or application not even running or listening on that port the syn went to.  Or it sent it out a different interface, or firewall blocking the outbound traffic from that application, etc.

    But for sure its the box.. unless for some reason that syn was so malformed that was not answered.  Which seems very far fetched.