Can't get port forwarding to work



  • Hi,

    first of I'd like to say that I think that PFSense is one grate peace of software but I'm having some problems with port forwarding and I'm not sure exactly why and it's not like I have done this before.
    My PFSense box (PFS v1.2 RC4 built on Tue Jan 15 23:05:07 EST 2008) the WAN is connected to the internet via fiber modem and gets the IP from the ISPs DHCP server. In the future I'm planing to add another external internet connection for redundancy but I'll leave that for the moment. There is also only one local network for the moment(I plan to divide it later) with a transparent proxy witch work just fine so it's just a simple case of WAN–>[PFS]–>LAN.
    As seen on the included images I've already added port forwarding for PFS WebGUI and PFS SSH and both work just fine from the internet but when I try to add port forwarding for the web server to an internal IP address it doesn't work (although it did for a moment but I have no idea why it stopped). I've also tried with other applications (VNC, FTP, SSH, etc.) and same result nothing like the port was not forwarded. I even tried forwarding VNC to a another local machine and same result. I'm able to reach the PFS but not the internal network. I've turned off the port reflection and tried disabling the transparent proxy I've unblocked privet network on the WAN side and nothing.

    Can someone please walk me through the procedure step by step not leaving out any mignonette detail so that I my try again and see if in deed I made a mistake somewhere (just treat it as a newly setup box with trans. proxy and the internet working). Because I feel really stupid for not seeing anything wrong.

    Or if someone just has an idea where I screwed up please let me know.
    The screen shots are attached below.

    Thank you for any help and best regards.









  • You missunderstood what the entries in the firewall mean.

    If you put as source "WAN interface" then this means exactly that.
    The IP of your WAN interface.

    If you put as destination 192.168.1.1 (your LAN interface) then the destination has to be exactly that.

    The server you want to forward the port to isnt 192.168.1.1 (your LAN interface)
    but 192.168.1.20

    Also your first and second port forwards dont make any sense.
    why are you NATing from the WAN to the LAN interface?
    If you want to access SSH and 8888 on pfSense itself, then just do that on the WAN.
    –> create a firewall rule that allows access to these services.



  • GruensFroeschli - > Thanks for the reply.
    Can you please elaborate on what you mean by the wan interface in the firewall.

    So if I'm understanding you right I have to delete everything out of NAT and Firewall.
    Now what do I have to enter into NAT so that all requests that come from the internet are forwarded to internal IP 192.168.1.20.
    And what do I need to do so that I have access to the PFS from the internet.

    Thanks again



  • I am officially committing suicide in the next 5 minutes.

    Reinstalled the whole thing and set up everything again (Proxy, DNS, PortForwarding, everything) this morning from scratch and it worked. It worked fine port 80 was forwarded to IP 192.168.1.20 and it was reachable from the outside world. Then 10 minutes ago I tried it again (from the outside in) and it doesn't work any more. Meanwhile I haven't changed a thing.

    What am I doing wrong.  :(

    Can someone help me figure this thing out.

    Thanks



  • Maybe it helps you if i show you some screenshots from a working system.

    My WAN is 192.168.20.6
    Server1 is 10.0.0.10  (alias Whitemage)
    Server2 is alias Redmage

    With this setup i allow access to the WAN IP on port 444 (my webgui of pfSense)
    Allow access from the WAN to whitemage on port 80 (webserver)
    allow access on the VNC ports (5800 and 5900) to whitemage
    allow access on the VNC ports (5801 and 5901) to redemage






  • Thank you GruensFroeschli.
    I'm just installing a test version of PFs on another machine so that I can test various combinations to find one that works.
    But I find it really strange that first it worked and then without any special tempering it stopped working.
    Are there any bug or anything. I mean I'm running a transparent proxy and dns caching and some other stuff. But it bugs me that it worked and then sopped working…

    I'll post back when I have any results.

    Bye & thanks for now



  • Hey,

    now this is just getting more ridicules from minute to minute.

    To test this I took a brand new machine and the same network card as I have in the one that's not working.
    Here's what I did:
    1.) installed PFsense and set everything up same as on the other one
        a.) installed it (basic install no packages or anything special)
        b.) setup the LAN and WAN -> got an IP, internet started working, hooked up a web server on an IP addres (server works on local lan)
        c.) set up NAT prot forwarding ( on WAN from any:80 to 192.168.1.20) I let it create a rule in rules (I edited it so that it loges the rule)
        d.) Tried form the outside nothing, like everything was blocked.

    (meanwhile I tried to connect to the original machine that is giving me problems and it opened a web page just like it is supposed to. But it did so only once and when I tried again and from another location it didn't work again…. very strange)

    2.) So I went on and changed the network card on the test machine same thing as if everything was blocked.
    3.) Since I have access to another PFSense machine that also has the same configuration and backed up the configuration. Then restored it on the one that is giving me problems making a few adjustments just to the connection type (problematic one giving me gets net via DHCP the one that wokrs get's it by PPPoE).
    4.) Again it didn't work the only difference is that the working one has PPPoE internet access and the non working one has access via DHCP. I really doubt that this could be the reason for not working.
    5.) While writing this post I tried the server again and to my new amazement it now worked without any playing around. Now I'm just waiting to see if it stops again.
    I hope it doesn't.
    And I just thought of something is there any substantial time delay when setting up port forwarding. I know it doesn't work right away but does it take somewhere like two minutes or ten minutes.

    Thanks again and cross your fingers that it doesn't happen again.

    Best regards.



  • Well I guess I spoke too soon. I just checked it two minutes ago and it doesn't work again.
    Here is some additional information.
    Even when the web, ssh, ftp forwarding shop working I can still access the webgui of PFS and SSH of PFS via the same rules. I'm not sure but I think that this shouldn't work also. By the way the server is working on the internal side I've also been keeping a log on it. It's like something crashes and the LAN interface is not accessible anymore.
    What could I do to figure this thing out because I'm at a dead end.

    It's like it has found a way to keep bugging me in a completely random way and schedule and I have no idea why it is doing this to me.

    Maybe it will work in the morning.  :(

    Night to all



  • Ok now I really don't know anymore.
    I deleted all the NAT port forwards and the rules and did them again form scratch and disabled the privet network block on the wan interface. And after about 5 minutes it seemed to work everything worked I even added a new forwarding  for ssh and VNC and they all worked. But apparently just for an hour because just now I tried again and nothing. I don't know am I stupid or is there some bug or glitch that screws up the firewall after some time.
    Can anybody with more experience please help me figure out what is going on with my PFS?

    I'm adding my config file from the moment I noticed that it had started working I don't know is there something else I can post to help find the problem?

    Thanks for the help.

    Bye

    Here's the config file (I removed the info in brackets):

    
     <pfsense><version>3.0</version>
    	 <lastchange><theme>pfsense</theme>
    	 <system><optimization>normal</optimization>
    		<hostname>[DELETED by me]</hostname>
    		<domain>[DELETED by me]</domain>
    		<username>admin</username>
    		<password>[DELETED by me]</password>
    		<timezone>Europe/Ljubljana</timezone>
    		 <time-update-interval><timeservers>ntp1.arnes.si</timeservers>
    		 <webgui><protocol>https</protocol>
    			<port>8888</port>
    			 <certificate><private-key></private-key></certificate></webgui> 
    		 <dnsallowoverride><ssh><authorizedkeys></authorizedkeys></ssh> 
    		<enablesshd>yes</enablesshd>
    		 <maximumstates><shapertype></shapertype></maximumstates></dnsallowoverride></time-update-interval></system> 
    	 <interfaces><lan><if>sis0</if>
    			<ipaddr>192.168.1.1</ipaddr>
    			<subnet>24</subnet>
    			 <media><mediaopt><bandwidth>100</bandwidth>
    			<bandwidthtype>Mb</bandwidthtype></mediaopt></media></lan> 
    		 <wan><if>sis1</if>
    			<mtu>1492</mtu>
    			 <media><mediaopt><bandwidth>100</bandwidth>
    			<bandwidthtype>Mb</bandwidthtype>
    			<spoofmac>[DELETED by me]</spoofmac>
    			 <disableftpproxy><ipaddr>dhcp</ipaddr>
    			 <dhcphostname></dhcphostname></disableftpproxy></mediaopt></media></wan> 
    		 <opt1><descr>OPT1</descr>
    			<if>rl0</if></opt1> 
    		 <opt2><descr>OPT2</descr>
    			<if>sis2</if></opt2> 
    		 <opt3><descr>OPT3</descr>
    			<if>sis3</if></opt3></interfaces> 
    	 <staticroutes><pppoe><username><password></password></username></pppoe> 
    	 <pptp><username><password><local></local></password></username></pptp> 
    	 <bigpond><dyndns><type>dyndns</type>
    		 <username><password></password></username></dyndns> 
    	 <dhcpd><lan><enable><range><from>192.168.1.100</from>
    				<to>192.168.1.199</to></range></enable></lan></dhcpd> 
    	 <pptpd><mode><redir><localip></localip></redir></mode></pptpd> 
    	 <ovpn><dnsmasq><enable></enable></dnsmasq> 
    	 <snmpd><syslocation>[DELETED by me]</syslocation>
    		<syscontact>[DELETED by me]</syscontact>
    		<rocommunity>public</rocommunity>
    		 <modules><mibii><netgraph></netgraph></mibii></modules> 
    		 <enable><pollport>161</pollport>
    		 <trapserver><trapserverport><trapstring></trapstring></trapserverport></trapserver></enable></snmpd> 
    	 <diag><ipv6nat></ipv6nat></diag> 
    	 <bridge><syslog><reverse><nentries>50</nentries></reverse></syslog> 
    	 <nat><ipsecpassthru><enable></enable></ipsecpassthru> 
    		 <rule><protocol>tcp</protocol>
    			<external-port>22</external-port>
    			<target>192.168.1.20</target>
    			<local-port>22</local-port>
    			<interface>wan</interface>
    			<descr>ssh_server</descr></rule> 
    		 <rule><protocol>tcp</protocol>
    			<external-port>80</external-port>
    			<target>192.168.1.20</target>
    			<local-port>80</local-port>
    			<interface>wan</interface>
    			<descr>www</descr></rule> 
    		 <rule><protocol>tcp</protocol>
    			<external-port>5900</external-port>
    			<target>192.168.1.20</target>
    			<local-port>5900</local-port>
    			<interface>wan</interface>
    			<descr>vnc_server</descr></rule> 
    		 <rule><protocol>tcp</protocol>
    			<external-port>8888</external-port>
    			<target>192.168.1.1</target>
    			<local-port>8888</local-port>
    			<interface>wan</interface>
    			<descr>webgui</descr></rule></nat> 
    	 <filter><rule><type>pass</type>
    			<interface>wan</interface>
    			 <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    			 <os><protocol>tcp</protocol>
    			<source>
    				 <any><destination><address>192.168.1.20</address>
    
    				<port>80</port></destination> 
    			<descr>NAT_www</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule> 
    		 <rule><type>pass</type>
    			<interface>wan</interface>
    			 <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    			 <os><protocol>tcp</protocol>
    			<source>
    				 <any><destination><address>192.168.1.1</address>
    
    				<port>8888</port></destination> 
    			<descr>NAT_webgui</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule> 
    		 <rule><type>pass</type>
    			<descr>Default LAN -> any</descr>
    			<interface>lan</interface>
    			<source>
    				<network>lan</network>
    
    			 <destination><any></any></destination></rule> 
    		 <rule><interface>wan</interface>
    			<protocol>tcp</protocol>
    			<source>
    				 <any><destination><address>192.168.1.20</address>
    
    				<port>22</port></destination> 
    			<descr>NAT ssh_server</descr></any></rule> 
    		 <rule><interface>wan</interface>
    			<protocol>tcp</protocol>
    			<source>
    				 <any><destination><address>192.168.1.20</address>
    
    				<port>5900</port></destination> 
    			<descr>NAT vnc_server</descr></any></rule></filter> 
    	 <shaper><ipsec><preferredoldsa></preferredoldsa></ipsec> 
    	 <aliases><proxyarp><cron><minute>0</minute>
    			<hour>*</hour>
    			<mday>*</mday>
    			<month>*</month>
    			<wday>*</wday>
    			<who>root</who>
    			<command></command>/usr/bin/nice -n20 newsyslog 
    		 <minute>1,31</minute>
    			<hour>0-5</hour>
    			<mday>*</mday>
    			<month>*</month>
    			<wday>*</wday>
    			<who>root</who>
    			<command></command>/usr/bin/nice -n20 adjkerntz -a 
    		 <minute>1</minute>
    			<hour>3</hour>
    			<mday>1</mday>
    			<month>*</month>
    			<wday>*</wday>
    			<who>root</who>
    			<command></command>/usr/bin/nice -n20 /etc/rc.update_bogons.sh 
    		 <minute>*/60</minute>
    			<hour>*</hour>
    			<mday>*</mday>
    			<month>*</month>
    			<wday>*</wday>
    			<who>root</who>
    			<command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout 
    		 <minute>1</minute>
    			<hour>1</hour>
    			<mday>*</mday>
    			<month>*</month>
    			<wday>*</wday>
    			<who>root</who>
    			<command></command>/usr/bin/nice -n20 /etc/rc.dyndns.update 
    		 <minute>*/60</minute>
    			<hour>*</hour>
    			<mday>*</mday>
    			<month>*</month>
    			<wday>*</wday>
    			<who>root</who>
    			<command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot 
    		 <minute>*/60</minute>
    			<hour>*</hour>
    			<mday>*</mday>
    			<month>*</month>
    			<wday>*</wday>
    			<who>root</who>
    			<command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c 
    		 <minute>*/5</minute>
    			<hour>*</hour>
    			<mday>*</mday>
    			<month>*</month>
    			<wday>*</wday>
    			<who>root</who>
    			<command></command>/usr/local/bin/checkreload.sh 
    		 <minute>*/5</minute>
    			<hour>*</hour>
    			<mday>*</mday>
    			<month>*</month>
    			<wday>*</wday>
    			<who>root</who>
    			<command></command>/etc/ping_hosts.sh 
    		 <minute>*/140</minute>
    			<hour>*</hour>
    			<mday>*</mday>
    			<month>*</month>
    			<wday>*</wday>
    			<who>root</who>
    			<command></command>/usr/local/sbin/reset_slbd.sh</cron> 
    	 <wol><installedpackages><package><name>squid</name>
    			<descr>High performance web proxy cache.</descr>
    			<website>http://www.squid-cache.org/</website>
    			<category>Network</category>
    			<version>2.6.18.1</version>
    			<status>BETA</status>
    			<required_version>1.0</required_version>
    			<maintainer>fernando@netfilter.com.br seth.mos@xs4all.nl</maintainer>
    			<depends_on_package_base_url>http://files.pfsense.org/mirror/packages/All</depends_on_package_base_url>
    			<depends_on_package>squid-2.6.18.tbz</depends_on_package>
    			<depends_on_package>squid_radius_auth-1.0.8.tbz</depends_on_package>
    			<depends_on_package>openldap-client-2.3.40.tbz</depends_on_package>
    			<config_file>http://www.pfsense.org/packages/config/squid/squid.xml</config_file>
    			<configurationfile>squid.xml</configurationfile></package> 
    		 <package><name>squidGuard</name>
    			<descr>High perfomance web proxy filter.           Required proxy squid-2.6.5 (or hi).</descr>
    			<website>http://www.squidGuard.org/</website>
    			<maintainer>dv_serg@mail.ru</maintainer>
    			<category>Network Management</category>
    			<version>1.2.0_1</version>
    			<status>Beta</status>
    			<required_version>1.1</required_version>
    			<depends_on_package_base_url>http://www.pfsense.org/mirrors/packages/All/</depends_on_package_base_url>
    			<depends_on_package>squidGuard-1.2.0_1.tbz</depends_on_package>
    			<config_file>http://www.pfsense.org/packages/config/squidGuard/squidguard.xml</config_file>
    			<configurationfile>squidguard.xml</configurationfile></package> 
    
    <menu>
    			<name>Proxy server</name>
    			<tooltiptext>Modify the proxy server's settings</tooltiptext>
    			Services
    			<url>/pkg_edit.php?xml=squid.xml&id=0</url>
    		</menu>
    
    <menu>
    			<name>Proxy Content filter</name>
    			<tooltiptext>Modify the proxy server's filter settings</tooltiptext>
    			Services
    			<url>/pkg_edit.php?xml=squidguard.xml&id=0</url>
    		</menu>
    
    		 <service><name>squid</name>
    			<rcfile>squid.sh</rcfile>
    			<executable>squid</executable>
    			<description>Proxy server Service</description></service> 
    		 <service><name>squidGuard</name>
    			<description>Proxy server filter Service</description>
    			<executable>squidGuard</executable></service> 
    		 <tinydns><config><ipaddress>127.0.0.1</ipaddress></config></tinydns> 
    		 <squid><config><active_interface>lan</active_interface>
    				<allow_interface>on</allow_interface>
    				<transparent_proxy>on</transparent_proxy>
    				 <private_subnet_proxy_off><log_enabled>on</log_enabled>
    				<log_dir>/logs/proxy_server.log</log_dir>
    				<proxy_port>80</proxy_port>
    				 <icp_port><visible_hostname><admin_email>[DELETED by me]</admin_email>
    				<error_language>English</error_language>
    				 <disable_xforward><disable_via><uri_whitespace>strip</uri_whitespace></disable_via></disable_xforward></visible_hostname></icp_port></private_subnet_proxy_off></config></squid> 
    		 <squidcache><config><harddisk_cache_size>9500</harddisk_cache_size>
    				<harddisk_cache_location>/var/squid/cache</harddisk_cache_location>
    				<memory_cache_size>75</memory_cache_size>
    				<minimum_object_size>0</minimum_object_size>
    				<maximum_object_size>4</maximum_object_size>
    				<level1_subdirs>16</level1_subdirs>
    				<memory_replacement>heap GDSF</memory_replacement>
    				<cache_replacement>heap LFUDA</cache_replacement>
    				 <donotcache><enable_offline></enable_offline></donotcache></config></squidcache></installedpackages> 
    	 <rrd><enable></enable></rrd> 
    	 <revision><description>/firewall_nat.php made unknown change</description>
    		<time>1214137106</time></revision></wol></proxyarp></aliases></shaper></bridge></ovpn></bigpond></staticroutes></lastchange></pfsense> 
    


  • Enable logging on the firewall rules that pass the traffic and see if it's even getting to you.



  • Actually after setting up PFS about three dozen times I finely figured out what was the problem. And I don't know if this falls under the category of a bug.
    But if I set my PFs to have an IP(my LAN) of 192.168.1.1 no matter what I did no matter what the external IP address is it just wouldn't forward anything else accept it's own ports the rest of the network did not exist. But if I set the PFs IP(my LAN) to 192.168.0.1 or 192.168.2.1 (of course fixing all the clients on the network accordingly) when I set up a port forwarding it started to work immediately. Just to make sure I tried it again and this seems to have been my problem.
    But unfortunately I have no idea why may be it has something with the external IP I get or something else.
    I'm going to test it further in the afternoon and tomorrow.

    Hope this helps someone with similar problems and thanks everyone for all the threads on forum witch helped me finding a solution.

    Bye



  • This REALLY sounds like you have somewhere in your network a rouge device with an IP of 192.168.1.1



  • You think? I never even thought of that but I'm quite sure that it isn't one of the devices that I had setup. And there were only two that could potentially do that.ž
    Anyway thank you for the info the network is now set to 192.168.0.1 so it doesn't really matter but I'll try and find the device anyway. I'm really interested to see if it is a rough device witch device it is….

    Best regards and good night



  • Hey everyone,

    I searched the whole network yesterday one device after anther connected to the patch panel and didn't find any mysterious devices on IP 192.168.1.1.
    I don't know…. well it works now so no big problem.

    Bye and thanks for the help.


Log in to reply