Discussion:
[pfSense] Port forwards don't work on one machine
Chris L
2018-02-11 20:42:34 UTC
Permalink
Loading Image...
What interface is that taken on? Take one on the interface the destination server is connected to (WLAN?) and test again. While you’re capturing also do another Diagnostics > Test Port from the local pfSense itself. Please include the capture of both events (from outside and using test port.)

It looks like the server is not responding.
Joseph L. Casale
2018-02-11 20:46:41 UTC
Permalink
-----Original Message-----
From: List [mailto:list-***@lists.pfsense.org] On Behalf Of Chris L
Sent: Sunday, February 11, 2018 1:43 PM
To: pfSense Support and Discussion Mailing List <***@lists.pfsense.org>
Subject: Re: [pfSense] Port forwards don't work on one machine
Post by Chris L
What interface is that taken on? Take one on the interface the destination
server is connected to (WLAN?) and test again. While you’re capturing also
do another Diagnostics > Test Port from the local pfSense itself. Please
include the capture of both events (from outside and using test port.)
It looks like the server is not responding.
I'd also suggest running a capture on the destination, if it's actually receiving
traffic and/or sending it elsewhere (routing rule) this will provide some insight.
Chris L
2018-02-11 23:23:43 UTC
Permalink
On Sun, 11 Feb 2018 20:46:41 +0000
Post by Joseph L. Casale
-----Original Message-----
L Sent: Sunday, February 11, 2018 1:43 PM
To: pfSense Support and Discussion Mailing List
work on one machine
Post by Chris L
What interface is that taken on? Take one on the interface the
destination server is connected to (WLAN?) and test again. While
you’re capturing also do another Diagnostics > Test Port from the
local pfSense itself. Please include the capture of both events
(from outside and using test port.)
It looks like the server is not responding.
I'd also suggest running a capture on the destination, if it's
actually receiving traffic and/or sending it elsewhere (routing rule)
this will provide some insight.
I ran a wireshark on the destination and it received packets when
“port testing” from the pfSense, but not when using external access
(e.g. canyouseeme.org)
Are the packets going out pfSense LAN? To what MAC/IP address?
Joseph L. Casale
2018-02-12 00:48:13 UTC
Permalink
-----Original Message-----
From: List [mailto:list-***@lists.pfsense.org] On Behalf Of Marco
Sent: Sunday, February 11, 2018 2:30 PM
To: ***@lists.pfsense.org
Subject: Re: [pfSense] Port forwards don't work on one machine
I ran a wireshark on the destination and it received packets when
“port testing” from the pfSense, but not when using external access
(e.g. canyouseeme.org)
Sounds like an ACL with a block or reject somewhere...
Ryan Coleman
2018-02-12 04:02:31 UTC
Permalink
That should be in the logs…
Post by Joseph L. Casale
-----Original Message-----
Sent: Sunday, February 11, 2018 2:30 PM
Subject: Re: [pfSense] Port forwards don't work on one machine
I ran a wireshark on the destination and it received packets when
“port testing” from the pfSense, but not when using external access
(e.g. canyouseeme.org)
Sounds like an ACL with a block or reject somewhere...
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Steven Spencer
2018-02-12 16:21:08 UTC
Permalink
On Sun, 11 Feb 2018 20:46:41 +0000
Post by Joseph L. Casale
-----Original Message-----
L Sent: Sunday, February 11, 2018 1:43 PM
To: pfSense Support and Discussion Mailing List
work on one machine
Post by Chris L
What interface is that taken on? Take one on the interface the
destination server is connected to (WLAN?) and test again. While
you’re capturing also do another Diagnostics > Test Port from the
local pfSense itself. Please include the capture of both events
(from outside and using test port.)
It looks like the server is not responding.
I'd also suggest running a capture on the destination, if it's
actually receiving traffic and/or sending it elsewhere (routing rule)
this will provide some insight.
I ran a wireshark on the destination and it received packets when
“port testing” from the pfSense, but not when using external access
(e.g. canyouseeme.org)
Marco
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Marco,

Just curious, but what is the target machine's OS?

Thanks,
--
--
Steven G. Spencer, Network Administrator
KSC Corporate - The Kelly Supply Family of Companies
Office 308-382-8764 Ext. 1131
Mobile 402-765-8010
Steven Spencer
2018-02-12 17:59:09 UTC
Permalink
On Mon, 12 Feb 2018 10:21:08 -0600
Post by Steven Spencer
On Sun, 11 Feb 2018 20:46:41 +0000
Post by Joseph L. Casale
-----Original Message-----
Chris L Sent: Sunday, February 11, 2018 1:43 PM
To: pfSense Support and Discussion Mailing List
work on one machine
Post by Chris L
What interface is that taken on? Take one on the interface the
destination server is connected to (WLAN?) and test again. While
you’re capturing also do another Diagnostics > Test Port from the
local pfSense itself. Please include the capture of both events
(from outside and using test port.)
It looks like the server is not responding.
I'd also suggest running a capture on the destination, if it's
actually receiving traffic and/or sending it elsewhere (routing
rule) this will provide some insight.
I ran a wireshark on the destination and it received packets when
“port testing” from the pfSense, but not when using external access
(e.g. canyouseeme.org)
Marco
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Marco,
Just curious, but what is the target machine's OS?
The actual server is FreeBSD, but I run the tests with a Linux
laptop as the behaviour is the same.
Marco
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
I know you've stated that you have no firewall on these machines. So
iptables -L shows empty on the Linux laptop and (sorry not familiar with
FreeBSD) and equiv on FreeBSD? No selinux in play on the Linux laptop or
at least if in play, policies are in use? I looked at your screen shots
and I can't see anything that leaps out at me. We have a number of
PfSense firewalls in use (15) within our organization and I've used port
forwarding on every one of them and have never run into a problem-unless
the receiving machine refuses the connection. I've been bitten by
selinux before and more recently, by firewalld.

Thanks,

Steven G. Spencer
James Ronald
2018-02-12 19:12:53 UTC
Permalink
What is the default gateway of the destination (is there a route back to
pfSense)?

- Jim
On Mon, 12 Feb 2018 11:59:09 -0600
Post by Steven Spencer
On Mon, 12 Feb 2018 10:21:08 -0600
Post by Steven Spencer
On Sun, 11 Feb 2018 20:46:41 +0000
Post by Joseph L. Casale
-----Original Message-----
Chris L Sent: Sunday, February 11, 2018 1:43 PM
To: pfSense Support and Discussion Mailing List
don't work on one machine
Post by Chris L
What interface is that taken on? Take one on the interface the
destination server is connected to (WLAN?) and test again. While
you’re capturing also do another Diagnostics > Test Port from
the local pfSense itself. Please include the capture of both
events (from outside and using test port.)
It looks like the server is not responding.
I'd also suggest running a capture on the destination, if it's
actually receiving traffic and/or sending it elsewhere (routing
rule) this will provide some insight.
I ran a wireshark on the destination and it received packets when
“port testing” from the pfSense, but not when using external
access (e.g. canyouseeme.org)
Marco
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Marco,
Just curious, but what is the target machine's OS?
The actual server is FreeBSD, but I run the tests with a Linux
laptop as the behaviour is the same.
Marco
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
I know you've stated that you have no firewall on these machines. So
iptables -L shows empty on the Linux laptop
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Post by Steven Spencer
No selinux in play on the Linux
laptop
No selinux in use.
Post by Steven Spencer
I looked at your screen shots and I can't see anything that leaps
out at me. We have a number of PfSense firewalls in use (15)
within our organization and I've used port forwarding on every one
of them and have never run into a problem-unless the receiving
machine refuses the connection.
Same here. Not that I'm a network expert, but I've set up five
pfSense installations and port forwarding has always been an easy
task which worked by just configuring the NAT rule.
If the receiving machine refuses the connection, I would not be able
to successfully "port test" it from the pfSense box and I would see
incoming packets with wireshark (I believe). Therefore, I suspect an
issue with the port forwarding.
Post by Steven Spencer
I've been bitten by selinux before and more recently, by firewalld.
Not installed and (therefore I hope) not used.
Thanks for the support and confirming that it's not something
obvious. Will investigate later.
Marco
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Joseph L. Casale
2018-02-12 19:21:08 UTC
Permalink
-----Original Message-----
From: List [mailto:list-***@lists.pfsense.org] On Behalf Of Marco
Sent: Sunday, February 11, 2018 2:30 PM
To: ***@lists.pfsense.org
Subject: Re: [pfSense] Port forwards don't work on one machine
I ran a wireshark on the destination and it received packets when
“port testing” from the pfSense, but not when using external access
(e.g. canyouseeme.org)
So what does a tcpdump on the pfSense instance reveal when the
canyouseeme.org test runs?

Obviously this is not a problem with destination, several test you have
run prove this, and based on the clear statement above, the issue is
somehow related to just the pfSense instance.
Steve Yates
2018-02-12 20:45:55 UTC
Permalink
Just to double check the config, so the pfSense router is set as the DMZ of the ISP router? Have you tried deleting the rule and re-adding?
--
Steve Yates
ITS, Inc.

-----Original Message-----
From: List [mailto:list-***@lists.pfsense.org] On Behalf Of Marco
Sent: Sunday, February 11, 2018 1:13 PM
To: ***@lists.pfsense.org
Subject: [pfSense] Port forwards don't work on one machine

Hi,

I have set up port forwarding multiple times in the past and it has always
worked. But I now have a machine that fails to forward a port. No clue why.
Maybe I'm missing the obvious here.

My network:

Internet -> ISP provided “NAT device” -> pfSense (2.4.2-RELEASE-p1)

For debugging purposes I simplified the setup, turned off IDS, pfBlockerNG,
used IPs instead of aliases.

1) The port forward from the WAN to 10.0.30.21 is set up.

Loading Image...

2) A corresponding WAN rule is created as well:

Loading Image...

On another machine this already is enough to get it working. But not on this
one. Nmap shows “filtered”.

3) Confirming the port 8000 is actually open on 10.0.30.21:

Loading Image...

Yes, it is.

4) Now testing from the external IP:

Loading Image...

Nope!

Again using an external service:

Loading Image...

No, James!

5) States:

Loading Image...

6) Packet capture:

https://i.imgur.com/xT3qFXW.png


I read: https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
Common Problems
1. NAT and firewall rules not correctly added (see How can I forward ports with pfSense?)
I guess it's all correct, works on another machine.
Hint: Do NOT set a source port
not set
2. Firewall enabled on client machine
nope
3. Client machine is not using pfSense as its default gateway
pfSense is the default gateway
4. Client machine not actually listening on the port being forwarded
It is, see

https://i.imgur.com/KcaSP6T.png
5. ISP or something upstream of pfSense is blocking the port being forwarded
I guess the states table and packet capture should be empty if that's the
case, right?
6. Trying to test from inside the local network, need to test from an outside machine
Tested both, see

https://i.imgur.com/QnWQuIO.png
https://i.imgur.com/v4KaivE.png
7. Incorrect or missing Virtual IP configuration for additional public IP addresses
No clue, haven't configured anything virtual.
8. The pfSense router is not the border router. If there is something else between pfSense and the ISP, the port forwards and associated rules must be replicated there.
True, pfSense is not the border router, ISP provided “NAT gateway” is. Device
is configured to forward everything to the pfSense box, though.
9. Forwarding ports to a server behind a Captive Portal. An IP bypass must be added both to and from the server's IP in order for a port forward to work behind a Captive Portal.
nope
10. If this is on a WAN that is not the default gateway, make sure there is a gateway chosen on this WAN interface, or the firewall rules for the port forward would not reply back via the correct gateway.
WAN is default gateway
11. If this is on a WAN that is not the default gateway, ensure the traffic for the port forward is NOT passed in via Floating Rules or an Interface Group. Only rules present on the WAN's interface tab under Firewall Rules will have the reply-to keyword to ensure the traffic responds properly via the expected gateway.
didn't configure floating rules
12. If this is on a WAN that is not the default gateway, make sure the firewall rule(s) allowing the traffic in do not have the box checked to disable reply-to.
not the case
13. If this is on a WAN that is not the default gateway, make sure the master reply-to disable switch is not checked under System > Advanced, on the Firewall/NAT tab.
not the case
14. WAN rules should NOT have a gateway set, so make sure that the rules for the port forward do NOT have a gateway configured on the actual rule.
see

https://i.imgur.com/N7ulwha.png
15. If the traffic appears to be forwarding in to an unexpected device, it may be happening due to UPnP. Check Status > UPnP to see if an internal service has configured a port forward unexpectedly. If so, disable UPnP on either that device or on the firewall.
UPnP is not used

I guess I'm missing the obvious here, since port forwards are rather
straightforward in pfSense and have never given me troubles in the past. A
nudge in the right direction is appreciated.

Marco
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Steve Yates
2018-02-12 21:13:10 UTC
Permalink
I would think "exposed host" is what I am calling DMZ, from your description.

If you have a firewall rule you can set it to log traffic (pass or block I believe). Under status/system logs/settings there is a checkbox to log packets blocked by the default block rule.
--
Steve Yates
ITS, Inc.

-----Original Message-----
From: List [mailto:list-***@lists.pfsense.org] On Behalf Of Marco
Sent: Monday, February 12, 2018 3:10 PM
To: ***@lists.pfsense.org
Subject: Re: [pfSense] Port forwards don't work on one machine

On Mon, 12 Feb 2018 20:45:55 +0000
Post by Steve Yates
Just to double check the config, so the pfSense router is set as the
DMZ of the ISP router?
No clue if the ISP device has a concept of DMZ. I configure it as
“Exposed Host”, so all communication is actually forwarded to the
pfSense box. I've set up numerous of those devices in different
locations and that was always sufficient.
Post by Steve Yates
Have you tried deleting the rule and re-adding?
On the ISP device? No, not yet. I guess tomorrow I'll clear the ISP
devices' config and also start off with a vanilla pfSense config.

I'm not really used to debugging with pfSense, especially the
logging features. What's the best way to check if that packet is
blocked by pfSense somehow? I tried

Status → System Logs → Firewall → Normal View → Advanced Log Filter

I checked “Block”, then entered Port: 8000 and “Apply Filter” and it
shows “No logs to disply”. That means that the packet is not blocked
by an implicit or explicit firewall rule, right?

Marco
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Volker Kuhlmann
2018-02-14 20:11:52 UTC
Permalink
Post by Steve Yates
I'm not really used to debugging with pfSense, especially the
logging features. What's the best way to check if that packet is
blocked by pfSense somehow?
Rules only log when the logging flag is ticked. Even then I dislike to
rely on rules always logging when I need them to.

I'd suggest you use the packet capture function of pfsense. Limit to the
port(s) in question and it shows the traversing packets. It's reliable.
Run it on the pfsense intrface connected to your server.

The symptoms you describe (pfsense can see the server, a WAN host can't)
could be explained by a messed up routing table on the server. The
server can send packets back to the pfsense box because that IP is on
its own interface's IP space as far as the server is concerned, but any
WAN host would hit the server's gateway setting - if that is absent or
wrong the server reply goes nowhere.

Volker
--
Volker Kuhlmann is list0570 with the domain in header.
http://volker.top.geek.nz/ Please do not CC list postings to me.
WebDawg
2018-02-14 23:07:42 UTC
Permalink
It is most likely the ISP device.
Post by Steve Yates
Hi,
I have set up port forwarding multiple times in the past and it has always
worked. But I now have a machine that fails to forward a port. No clue why.
Maybe I'm missing the obvious here.
Internet -> ISP provided “NAT device” -> pfSense (2.4.2-RELEASE-p1)
For debugging purposes I simplified the setup, turned off IDS, pfBlockerNG,
used IPs instead of aliases.
1) The port forward from the WAN to 10.0.30.21 is set up.
https://i.imgur.com/V8vlN1Z.png
https://i.imgur.com/N7ulwha.png
On another machine this already is enough to get it working. But not on this
one. Nmap shows “filtered”.
https://i.imgur.com/KcaSP6T.png
Yes, it is.
https://i.imgur.com/QnWQuIO.png
Nope!
https://i.imgur.com/v4KaivE.png
No, James!
https://i.imgur.com/Rf1kjbf.png
https://i.imgur.com/xT3qFXW.png
I read: https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
Common Problems
1. NAT and firewall rules not correctly added (see How can I forward ports with pfSense?)
I guess it's all correct, works on another machine.
Hint: Do NOT set a source port
not set
2. Firewall enabled on client machine
nope
3. Client machine is not using pfSense as its default gateway
pfSense is the default gateway
4. Client machine not actually listening on the port being forwarded
It is, see
https://i.imgur.com/KcaSP6T.png
5. ISP or something upstream of pfSense is blocking the port being forwarded
I guess the states table and packet capture should be empty if that's the
case, right?
6. Trying to test from inside the local network, need to test from an outside machine
Tested both, see
https://i.imgur.com/QnWQuIO.png
https://i.imgur.com/v4KaivE.png
7. Incorrect or missing Virtual IP configuration for additional public IP addresses
No clue, haven't configured anything virtual.
8. The pfSense router is not the border router. If there is something else between pfSense and the ISP, the port forwards and associated rules must be replicated there.
True, pfSense is not the border router, ISP provided “NAT gateway” is. Device
is configured to forward everything to the pfSense box, though.
9. Forwarding ports to a server behind a Captive Portal. An IP bypass must be added both to and from the server's IP in order for a port forward to work behind a Captive Portal.
nope
10. If this is on a WAN that is not the default gateway, make sure there is a gateway chosen on this WAN interface, or the firewall rules for the port forward would not reply back via the correct gateway.
WAN is default gateway
11. If this is on a WAN that is not the default gateway, ensure the traffic for the port forward is NOT passed in via Floating Rules or an Interface Group. Only rules present on the WAN's interface tab under Firewall Rules will have the reply-to keyword to ensure the traffic responds properly via the expected gateway.
didn't configure floating rules
12. If this is on a WAN that is not the default gateway, make sure the firewall rule(s) allowing the traffic in do not have the box checked to disable reply-to.
not the case
13. If this is on a WAN that is not the default gateway, make sure the master reply-to disable switch is not checked under System > Advanced, on the Firewall/NAT tab.
not the case
14. WAN rules should NOT have a gateway set, so make sure that the rules for the port forward do NOT have a gateway configured on the actual rule.
see
https://i.imgur.com/N7ulwha.png
15. If the traffic appears to be forwarding in to an unexpected device, it may be happening due to UPnP. Check Status > UPnP to see if an internal service has configured a port forward unexpectedly. If so, disable UPnP on either that device or on the firewall.
UPnP is not used
I guess I'm missing the obvious here, since port forwards are rather
straightforward in pfSense and have never given me troubles in the past. A
nudge in the right direction is appreciated.
Marco
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
WebDawg
2018-02-26 03:44:32 UTC
Permalink
No problem. Been there before.
On Wed, 14 Feb 2018 18:07:42 -0500
Post by WebDawg
It is most likely the ISP device.
Indeed, it was.
I redid the whole pfSense config and the issue persisted. Then I
redid the ISP device config and it worked. In the end I changed
nothing, same config as before, but now it works for some magical
reason.
Thanks to all of you for the support and sorry for the noise (of
having nothing to do with pfSense).
Marco
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Continue reading on narkive:
Loading...