Copied NAT Rule Not Working



  • I have an FTP NAT with associated FW rule working fine.

    I copied this to create a MySQL NAT which created an associated FW rule.

    Comparing the config screens for each NAT and each FW rule, they are identical except for the port. (There is a preset port for (FTP) choice in the drop-down, (other) was chosen for port 3306.)

    Everything was Saved and Applied.

    Using an online port scanner service, I test port 21 and port 3306.

    Packet capture on WAN shows both tests: 21 has a 'conversation', 3306 only has one entry.

    Packet capture on LAN shows the same for 21, nothing at all for 3306.

    Nothing seen for 3306 in a state table.

    Nowhere is it mentioned, so I assume I don't have to reboot the pfSense box to get the new NAT/rule to be working.

    I have read doc.pfsense.org/index.php/Port_Forward_Troubleshooting.

    pfSense - current version - 2.2.3



  • This may apply to my situation:
    https://forum.pfsense.org/index.php?topic=92472.msg512368#msg512368

    Let me spend a few weeks learning how to get this sorted and then let's hope.



  • This is what I guess happened:

    I was running pfSense v1 (or maybe an early version of v2). The package pfBlocker was installed.

    I upgraded to pfSense 2.2.3 (or, at least, the system got upgraded to 2.2.3 - don't know if it was automatic or not, from a lower version of v2).

    Somewhere along the way, pgBlocker disappeared.

    However, aliases that were created to group additional IP addresses in that version of pfBlocker no longer had targets to resolve to.

    I will assume that the failure to properly finish parsing the alias file somehow caused pfSense to not actually apply the changes to the NAT and firewall rules, even though those changes did show in the configuration tables.

    I removed the firewall rules that used those aliases and then removed the aliases.

    I installed and enabled the latest pfBlocker package.

    The online port scanner service reports that port 3306 is open.

    I will now attempt to conduct the experiments for which I opened port 3306 in the first place.


  • Moderator

    The older pfBlocker version is a separate package then pfBlockerNG. The older version is also not available for pfSense +2.2

    Here is a script to flush the old pfBlocker remnants from the config.

    https://forum.pfsense.org/index.php?topic=88443.msg491279#msg491279


Log in to reply