Netgate SG-1000 microFirewall

Author Topic: [Solved] pfSense on Proxmox: Port Forwarding (Checksum) Problems  (Read 198 times)

0 Members and 1 Guest are viewing this topic.

Offline oldenblocer

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
I setup pfSense on Proxmox following this guide: https://doc.pfsense.org/index.php/Virtualizing_pfSense_on_Proxmox

Everything (including Vlans) is working fine except port forwarding.

I already had hardware checksumming disabled on pfSense as explained in the guide. Then i wanted to forward a port to a webserver running as a VM but can't get this to work. I already spend like two full days on this and starting to lose my mind. %P

Inspecting firewall logs and also packet captures show that packets hitting my WAN on its public address are forwarded to the desired machine as expected. The machine receives the packet and answers back to the LAN interface. But it never reaches my WAN to go outside. I'm testing this on my cell phone from an outside network BTW.

Further inspection of the captured packets with Wireshark shows that there is something wrong with the checksums with leads my to threads saying that i also have to disable hardware checksum offloading on the Proxmox side. Which i did using
Code: [Select]
ethtool -K <interface> tx off as explained here https://forum.pfsense.org/index.php?topic=88467.0. Also i made sure that this is redone on a system reboot.

Questions: Do i have to do ethtool -K <interface> tx off only on the LAN bridge assigned to pfSense or also on the real interface the bridge is defined on? Is it enough to do this on the LAN interface or also on the WAN or on all interfaces within that host machine? Tested some combinations but no luck.. And: Do i also have to switch off hardware offloading for rx and maybe other stuff?

Also tested port forwarding to a real physical machine inside my network but got the same results. Tested different ports also.

BTW: I have setup OpenVPN and this worked flawless from the beginning. But OpenVPN is using UDP not TCP. Is this the reason this forward work?

Can someone please help me with further investigation or has already an idea whats going wrong? I'm running out of ideas and starting to become really frustrated. :/

Thanks so much!!
« Last Edit: February 07, 2018, 04:56:34 am by oldenblocer »

Offline yarick123

  • Jr. Member
  • **
  • Posts: 70
  • Karma: +8/-0
    • View Profile
Re: pfSense on Proxmox: Port Forwarding (Checksum) Problems
« Reply #1 on: January 28, 2018, 08:21:47 am »
As far as I understand, if you configure OpenVPN on pfSense, there is no port forwarding at all.

I think, if the pfSense GUI and Internet can be accessed from the physical LAN, the problems with port forwarding can be caused not only by the check-sums.

Do you see on WAN outgoing forwarded packages from LAN hosts?

I had problems, similarly to yours, as I had not correct routing + outgoing NAT configuration. It can be also something wrong with the Virtual IPs configuration. Or are you forwarding the firewall ports?

Questions: Do i have to do ethtool -K <interface> tx off only on the LAN bridge assigned to pfSense or also on the real interface the bridge is defined on? Is it enough to do this on the LAN interface or also on the WAN or on all interfaces within that host machine? Tested some combinations but no luck.. And: Do i also have to switch off hardware offloading for rx and maybe other stuff?

For test purposes I would disable check-sums offloading on all possible physical/virtual NICs.

Offline oldenblocer

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: pfSense on Proxmox: Port Forwarding (Checksum) Problems
« Reply #2 on: February 07, 2018, 04:56:06 am »
I had problems, similarly to yours, as I had not correct routing + outgoing NAT configuration. It can be also something wrong with the Virtual IPs configuration. Or are you forwarding the firewall ports?

Thank you for your answer and sorry for the delayed reply. I was on vaction...

I solved the problem by reinstalling pfsense from scratch. I guess something was wrong with my vlan config and stuff because i experimented a lot with different setups and so on plus I started with a double NAT setup and then made the switch to connecting directly through a modem to the internet. So portforwarding is now working as expected. :-)

For test purposes I would disable check-sums offloading on all possible physical/virtual NICs.

Don't have to do this since I reinstalled pfsense. I'm not touching the proxmox network settings manually anymore.. ;-)

Thanks for your help!!