The pfSense Store

Author Topic: Firewall, Port forwarding Help  (Read 303 times)

0 Members and 1 Guest are viewing this topic.

Offline z71prix

  • Newbie
  • *
  • Posts: 13
  • Karma: +1/-0
    • View Profile
Firewall, Port forwarding Help
« on: December 27, 2017, 08:00:55 am »
Please help, I'm new to pfsense and have spent over 10 hours trying everything to get a simple port forwarding to work.  I've got knowledge of routers dd wrt and such.  It must be something simple I'm missing. 


pfsense installed on Qotom 4 port mini PC

Interfaces
igb0 = WAN
igb0 = LAN1
igb0 = LAN2

I'm trying to port forward 5610 from incoming WAN traffic to a single IP on LAN2. 

Packet capture shows port 5610 on WAN, but not on LAN2

My settings in attached

If you need any anything else let me know.




Offline Grimson

  • Full Member
  • ***
  • Posts: 260
  • Karma: +36/-2
    • View Profile
Re: Firewall, Port forwarding Help
« Reply #1 on: December 27, 2017, 08:09:30 am »

Offline z71prix

  • Newbie
  • *
  • Posts: 13
  • Karma: +1/-0
    • View Profile
Re: Firewall, Port forwarding Help
« Reply #2 on: December 27, 2017, 08:28:33 am »
Thank you, I've added top rule to allow all traffic?  Is this correct?  Still not working?


Offline Grimson

  • Full Member
  • ***
  • Posts: 260
  • Karma: +36/-2
    • View Profile
Re: Firewall, Port forwarding Help
« Reply #3 on: December 27, 2017, 08:39:47 am »
Thank you, I've added top rule to allow all traffic?  Is this correct?  Still not working?

Really READ the instructions I linked to, especially the bold parts, don't just skip over them. You don't need to create additional rules, you just have to configure the port forward right.

Offline z71prix

  • Newbie
  • *
  • Posts: 13
  • Karma: +1/-0
    • View Profile
Re: Firewall, Port forwarding Help
« Reply #4 on: December 27, 2017, 09:07:59 am »
I have read and read the tread thank you for sending it.  I'm so confused why it's not working?

Offline z71prix

  • Newbie
  • *
  • Posts: 13
  • Karma: +1/-0
    • View Profile
Re: Firewall, Port forwarding Help
« Reply #5 on: December 27, 2017, 09:13:02 am »
I'm setting up rule in NAT correct?

Offline Grimson

  • Full Member
  • ***
  • Posts: 260
  • Karma: +36/-2
    • View Profile
Re: Firewall, Port forwarding Help
« Reply #6 on: December 27, 2017, 09:13:14 am »
I have read and read the tread thank you for sending it.  I'm so confused why it's not working?

From the linked instructions:
Quote
Destination: Specifies the original destination IP address of the traffic, as seen before being translated, and will usually be WAN address.

Offline z71prix

  • Newbie
  • *
  • Posts: 13
  • Karma: +1/-0
    • View Profile
Re: Firewall, Port forwarding Help
« Reply #7 on: December 27, 2017, 09:28:22 am »
I'm still trying?


Offline z71prix

  • Newbie
  • *
  • Posts: 13
  • Karma: +1/-0
    • View Profile
Re: Firewall, Port forwarding Help
« Reply #8 on: December 27, 2017, 09:41:41 am »
I've tried everything I can think of? Why is this so difficult?

Online johnpoz

  • Hero Member
  • *****
  • Posts: 14816
  • Karma: +1374/-202
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Firewall, Port forwarding Help
« Reply #9 on: December 27, 2017, 10:22:13 am »
does your camera even have a gateway?  This is very common with these sorts of devices.. They have not gateway on them - so no you can not view them from outside your network without doing source nat..

Also its bad idea to allow access to camera's from outside your network.. Huge security concern.. And these cameras are terrible when it comes to security..  That is your port forward - where is the wan rules?
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Online johnpoz

  • Hero Member
  • *****
  • Posts: 14816
  • Karma: +1374/-202
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Firewall, Port forwarding Help
« Reply #10 on: December 27, 2017, 10:24:00 am »
your wan rule is WRONG..  you wouldn't set a gateway on a wan rule..  Nor is the source ever going to be your wan address.. on your lan 2 rule..  This is really clickity clickty - when you create the port forward it will auto create your firewall rule for you - so its like impossible to make such nonsense rules..

Your lan 2 doesn't even need a rule if your just going to be answering inbound connections from internet.. And if you did not a rule the source for sure would not be the wan address..

Rules are evaluated top down, first rule to trigger wins no other rules evaluated.  How would wan address be a source of inbound traffic to lan2 interface from the lan2 network?

edit:  remove that any any rule on your wan!!  Just let the port forward create the wan rule..

Is your camera have a gateway?  This is #3 in common problems on the troubleshooting guide..
« Last Edit: December 27, 2017, 10:29:28 am by johnpoz »
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline z71prix

  • Newbie
  • *
  • Posts: 13
  • Karma: +1/-0
    • View Profile
Re: Firewall, Port forwarding Help
« Reply #11 on: December 27, 2017, 10:29:08 am »
Hello Johnpoz

Yes, the camera has a gateway, it was working fine on my Netgear router before I switch to pfsense. The camrea is a private port I'm using with user interface log in.

I created a NAT rule, it created the WAN rule automatically.

Here's my NAT and WAN rules.

Online johnpoz

  • Hero Member
  • *****
  • Posts: 14816
  • Karma: +1374/-202
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Firewall, Port forwarding Help
« Reply #12 on: December 27, 2017, 10:30:36 am »
remove tht any any rule!! 

So lets sniff the traffic - PM your public IP and I will hit it on that port.

You do not have anything in front of pfsense - pfsense has your wan... Lets see the sniff of your wan showing you hitting that IP from outside your network.. Your not trying to access this from inside your network hitting your public IP are you?

"The camrea is a private port I'm using with user interface log in."

Still bad idea - if you want to access stuff on your network, vpn in... Open up such devices to the public is just very bad idea!

I think your trying to hit your public IP from say you phone on your wifi network?  So it would be nat reflection - you need to test this from outside.. Either PM your public IP, or use canyouseeme.org
« Last Edit: December 27, 2017, 10:34:50 am by johnpoz »
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline z71prix

  • Newbie
  • *
  • Posts: 13
  • Karma: +1/-0
    • View Profile
Re: Firewall, Port forwarding Help
« Reply #13 on: December 27, 2017, 10:34:36 am »
ok, any traffic rules removed.

I'll send you PM

thank you

Online johnpoz

  • Hero Member
  • *****
  • Posts: 14816
  • Karma: +1374/-202
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Firewall, Port forwarding Help
« Reply #14 on: December 27, 2017, 10:41:04 am »
Not seeing any syn,ack back - lets see your wan sniff when I send traffic or you use your online checker or canyouseeme.org

Do you have any floating rules?  There is no syn,ack back from syn I send to that port


10:44:12.574054 IP 64.53.xxx.xxx.37854 > 68.38.xxx.xxx.5160: tcp 0
10:44:12.824552 IP 64.53.xxx.xxx.54289 > 68.38.xxx.xxx.5160: tcp 0
10:44:15.571615 IP 64.53.xxx.xxx.37854 > 68.38.xxx.xxx.5160: tcp 0
10:44:15.823196 IP 64.53.xxx.xxx.54289 > 68.38.xxx.xxx.5160: tcp 0

If the traffic is hitting your wan then sniff on your lan2 interface for that 5160...



« Last Edit: December 27, 2017, 10:49:28 am by johnpoz »
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)