Re: [pfSense] Port forwards don't work on one machine

2018-02-25 Thread WebDawg
No problem.  Been there before.

On Sun, Feb 18, 2018 at 4:54 PM, Marco  wrote:
> On Wed, 14 Feb 2018 18:07:42 -0500
> WebDawg  wrote:
>
>> It is most likely the ISP device.
>
> Indeed, it was.
>
> I redid the whole pfSense config and the issue persisted. Then I
> redid the ISP device config and it worked. In the end I changed
> nothing, same config as before, but now it works for some magical
> reason.
>
> Thanks to all of you for the support and sorry for the noise (of
> having nothing to do with pfSense).
>
> Marco
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Port forwards don't work on one machine

2018-02-18 Thread Marco
On Wed, 14 Feb 2018 18:07:42 -0500
WebDawg  wrote:

> It is most likely the ISP device.

Indeed, it was.

I redid the whole pfSense config and the issue persisted. Then I
redid the ISP device config and it worked. In the end I changed
nothing, same config as before, but now it works for some magical
reason.

Thanks to all of you for the support and sorry for the noise (of
having nothing to do with pfSense).

Marco
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Port forwards don't work on one machine

2018-02-14 Thread WebDawg
It is most likely the ISP device.

On Sun, Feb 11, 2018 at 2:12 PM, Marco  wrote:
> Hi,
>
> I have set up port forwarding multiple times in the past and it has always
> worked. But I now have a machine that fails to forward a port. No clue why.
> Maybe I'm missing the obvious here.
>
> My network:
>
>   Internet -> ISP provided “NAT device” -> pfSense (2.4.2-RELEASE-p1)
>
> For debugging purposes I simplified the setup, turned off IDS, pfBlockerNG,
> used IPs instead of aliases.
>
> 1) The port forward from the WAN to 10.0.30.21 is set up.
>
> https://i.imgur.com/V8vlN1Z.png
>
> 2) A corresponding WAN rule is created as well:
>
> https://i.imgur.com/N7ulwha.png
>
>   On another machine this already is enough to get it working. But not on this
>   one. Nmap shows “filtered”.
>
> 3) Confirming the port 8000 is actually open on 10.0.30.21:
>
> https://i.imgur.com/KcaSP6T.png
>
>   Yes, it is.
>
> 4) Now testing from the external IP:
>
> https://i.imgur.com/QnWQuIO.png
>
>   Nope!
>
>   Again using an external service:
>
> https://i.imgur.com/v4KaivE.png
>
>   No, James!
>
> 5) States:
>
> https://i.imgur.com/Rf1kjbf.png
>
> 6) Packet capture:
>
> https://i.imgur.com/xT3qFXW.png
>
>
> I read: https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
>
>> Common Problems
>>
>> 1. NAT and firewall rules not correctly added (see How can I forward ports 
>> with pfSense?)
>
> I guess it's all correct, works on another machine.
>
>> Hint: Do NOT set a source port
>
> not set
>
>> 2. Firewall enabled on client machine
>
> nope
>
>> 3. Client machine is not using pfSense as its default gateway
>
> pfSense is the default gateway
>
>> 4. Client machine not actually listening on the port being forwarded
>
> It is, see
>
>   https://i.imgur.com/KcaSP6T.png
>
>> 5. ISP or something upstream of pfSense is blocking the port being forwarded
>
> I guess the states table and packet capture should be empty if that's the
> case, right?
>
>> 6. Trying to test from inside the local network, need to test from an 
>> outside machine
>
> Tested both, see
>
>   https://i.imgur.com/QnWQuIO.png
>   https://i.imgur.com/v4KaivE.png
>
>> 7. Incorrect or missing Virtual IP configuration for additional public IP 
>> addresses
>
> No clue, haven't configured anything virtual.
>
>> 8. The pfSense router is not the border router. If there is something else 
>> between pfSense and the ISP, the port forwards and associated rules must be 
>> replicated there.
>
> True, pfSense is not the border router, ISP provided “NAT gateway” is. Device
> is configured to forward everything to the pfSense box, though.
>
>> 9. Forwarding ports to a server behind a Captive Portal. An IP bypass must 
>> be added both to and from the server's IP in order for a port forward to 
>> work behind a Captive Portal.
>
> nope
>
>> 10. If this is on a WAN that is not the default gateway, make sure there is 
>> a gateway chosen on this WAN interface, or the firewall rules for the port 
>> forward would not reply back via the correct gateway.
>
> WAN is default gateway
>
>> 11. If this is on a WAN that is not the default gateway, ensure the traffic 
>> for the port forward is NOT passed in via Floating Rules or an Interface 
>> Group. Only rules present on the WAN's interface tab under Firewall Rules 
>> will have the reply-to keyword to ensure the traffic responds properly via 
>> the expected gateway.
>
> didn't configure floating rules
>
>> 12. If this is on a WAN that is not the default gateway, make sure the 
>> firewall rule(s) allowing the traffic in do not have the box checked to 
>> disable reply-to.
>
> not the case
>
>> 13. If this is on a WAN that is not the default gateway, make sure the 
>> master reply-to disable switch is not checked under System > Advanced, on 
>> the Firewall/NAT tab.
>
> not the case
>
>> 14. WAN rules should NOT have a gateway set, so make sure that the rules for 
>> the port forward do NOT have a gateway configured on the actual rule.
>
> see
>
> https://i.imgur.com/N7ulwha.png
>
>> 15. If the traffic appears to be forwarding in to an unexpected device, it 
>> may be happening due to UPnP. Check Status > UPnP to see if an internal 
>> service has configured a port forward unexpectedly. If so, disable UPnP on 
>> either that device or on the firewall.
>
> UPnP is not used
>
> I guess I'm missing the obvious here, since port forwards are rather
> straightforward in pfSense and have never given me troubles in the past. A
> nudge in the right direction is appreciated.
>
> Marco
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Port forwards don't work on one machine

2018-02-14 Thread Volker Kuhlmann
On Tue 13 Feb 2018 10:09:41 NZDT +1300, Marco wrote:

> I'm not really used to debugging with pfSense, especially the
> logging features. What's the best way to check if that packet is
> blocked by pfSense somehow?

Rules only log when the logging flag is ticked. Even then I dislike to
rely on rules always logging when I need them to.

I'd suggest you use the packet capture function of pfsense. Limit to the
port(s) in question and it shows the traversing packets. It's reliable.
Run it on the pfsense intrface connected to your server.

The symptoms you describe (pfsense can see the server, a WAN host can't)
could be explained by a messed up routing table on the server. The
server can send packets back to the pfsense box because that IP is on
its own interface's IP space as far as the server is concerned, but any
WAN host would hit the server's gateway setting - if that is absent or
wrong the server reply goes nowhere.

Volker

-- 
Volker Kuhlmann is list0570 with the domain in header.
http://volker.top.geek.nz/  Please do not CC list postings to me.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Port forwards don't work on one machine

2018-02-12 Thread Steve Yates
I would think "exposed host" is what I am calling DMZ, from your 
description.

If you have a firewall rule you can set it to log traffic (pass or 
block I believe).  Under status/system logs/settings there is a checkbox to log 
packets blocked by the default block rule.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Marco
Sent: Monday, February 12, 2018 3:10 PM
To: list@lists.pfsense.org
Subject: Re: [pfSense] Port forwards don't work on one machine

On Mon, 12 Feb 2018 20:45:55 +
Steve Yates <st...@teamits.com> wrote:

> Just to double check the config, so the pfSense router is set as the
> DMZ of the ISP router?

No clue if the ISP device has a concept of DMZ. I configure it as
“Exposed Host”, so all communication is actually forwarded to the
pfSense box. I've set up numerous of those devices in different
locations and that was always sufficient.

> Have you tried deleting the rule and re-adding?

On the ISP device? No, not yet. I guess tomorrow I'll clear the ISP
devices' config and also start off with a vanilla pfSense config.

I'm not really used to debugging with pfSense, especially the
logging features. What's the best way to check if that packet is
blocked by pfSense somehow? I tried

Status → System Logs → Firewall → Normal View → Advanced Log Filter

I checked “Block”, then entered Port: 8000 and “Apply Filter” and it
shows “No logs to disply”. That means that the packet is not blocked
by an implicit or explicit firewall rule, right?

Marco
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Port forwards don't work on one machine

2018-02-12 Thread Marco
On Mon, 12 Feb 2018 20:45:55 +
Steve Yates  wrote:

> Just to double check the config, so the pfSense router is set as the
> DMZ of the ISP router?

No clue if the ISP device has a concept of DMZ. I configure it as
“Exposed Host”, so all communication is actually forwarded to the
pfSense box. I've set up numerous of those devices in different
locations and that was always sufficient.

> Have you tried deleting the rule and re-adding?

On the ISP device? No, not yet. I guess tomorrow I'll clear the ISP
devices' config and also start off with a vanilla pfSense config.

I'm not really used to debugging with pfSense, especially the
logging features. What's the best way to check if that packet is
blocked by pfSense somehow? I tried

Status → System Logs → Firewall → Normal View → Advanced Log Filter

I checked “Block”, then entered Port: 8000 and “Apply Filter” and it
shows “No logs to disply”. That means that the packet is not blocked
by an implicit or explicit firewall rule, right?

Marco
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Port forwards don't work on one machine

2018-02-12 Thread Marco
On Sun, 11 Feb 2018 15:23:43 -0800
Chris L <c...@viptalk.net> wrote:

> > On Feb 11, 2018, at 1:29 PM, Marco <li...@homerow.info> wrote:
> > 
> > On Sun, 11 Feb 2018 20:46:41 +
> > "Joseph L. Casale" <jcas...@activenetwerx.com> wrote:
> >   
> >> -Original Message-
> >> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of
> >> Chris L Sent: Sunday, February 11, 2018 1:43 PM
> >> To: pfSense Support and Discussion Mailing List
> >> <list@lists.pfsense.org> Subject: Re: [pfSense] Port forwards don't
> >> work on one machine
> >>   
> >>> What interface is that taken on? Take one on the interface the
> >>> destination server is connected to (WLAN?) and test again. While
> >>> you’re capturing also do another Diagnostics > Test Port from the
> >>> local pfSense itself. Please include the capture of both events
> >>> (from outside and using test port.)
> >>> 
> >>> It looks like the server is not responding.
> >> 
> >> I'd also suggest running a capture on the destination, if it's
> >> actually receiving traffic and/or sending it elsewhere (routing
> >> rule) this will provide some insight.  
> > 
> > I ran a wireshark on the destination and it received packets when
> > “port testing” from the pfSense, but not when using external access
> > (e.g. canyouseeme.org)
> >   
> 
> Are the packets going out pfSense LAN? To what MAC/IP address?

You mean when scanning from outside? I ran a Packet Capture on
pfsense on the WLAN side (settings: interface WLAN, port 8000) and
got nothing.

Marco
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Port forwards don't work on one machine

2018-02-12 Thread Marco
On Mon, 12 Feb 2018 14:12:53 -0500
James Ronald  wrote:

> What is the default gateway of the destination (is there a route back
> to pfSense)?

pfSense is the default gateway of the destination.

Marco
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Port forwards don't work on one machine

2018-02-12 Thread Steve Yates
Just to double check the config, so the pfSense router is set as the DMZ of the 
ISP router?  Have you tried deleting the rule and re-adding?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Marco
Sent: Sunday, February 11, 2018 1:13 PM
To: list@lists.pfsense.org
Subject: [pfSense] Port forwards don't work on one machine

Hi,

I have set up port forwarding multiple times in the past and it has always
worked. But I now have a machine that fails to forward a port. No clue why.
Maybe I'm missing the obvious here.

My network:

  Internet -> ISP provided “NAT device” -> pfSense (2.4.2-RELEASE-p1)

For debugging purposes I simplified the setup, turned off IDS, pfBlockerNG,
used IPs instead of aliases.

1) The port forward from the WAN to 10.0.30.21 is set up.

https://i.imgur.com/V8vlN1Z.png

2) A corresponding WAN rule is created as well:

https://i.imgur.com/N7ulwha.png

  On another machine this already is enough to get it working. But not on this
  one. Nmap shows “filtered”.

3) Confirming the port 8000 is actually open on 10.0.30.21:

https://i.imgur.com/KcaSP6T.png

  Yes, it is.

4) Now testing from the external IP:

https://i.imgur.com/QnWQuIO.png

  Nope!

  Again using an external service:

https://i.imgur.com/v4KaivE.png

  No, James!

5) States:

https://i.imgur.com/Rf1kjbf.png

6) Packet capture:

https://i.imgur.com/xT3qFXW.png


I read: https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

> Common Problems
> 
> 1. NAT and firewall rules not correctly added (see How can I forward ports 
> with pfSense?)

I guess it's all correct, works on another machine.

> Hint: Do NOT set a source port

not set

> 2. Firewall enabled on client machine

nope

> 3. Client machine is not using pfSense as its default gateway

pfSense is the default gateway

> 4. Client machine not actually listening on the port being forwarded

It is, see

  https://i.imgur.com/KcaSP6T.png

> 5. ISP or something upstream of pfSense is blocking the port being forwarded

I guess the states table and packet capture should be empty if that's the
case, right?

> 6. Trying to test from inside the local network, need to test from an outside 
> machine

Tested both, see

  https://i.imgur.com/QnWQuIO.png
  https://i.imgur.com/v4KaivE.png

> 7. Incorrect or missing Virtual IP configuration for additional public IP 
> addresses

No clue, haven't configured anything virtual.

> 8. The pfSense router is not the border router. If there is something else 
> between pfSense and the ISP, the port forwards and associated rules must be 
> replicated there.

True, pfSense is not the border router, ISP provided “NAT gateway” is. Device
is configured to forward everything to the pfSense box, though.

> 9. Forwarding ports to a server behind a Captive Portal. An IP bypass must be 
> added both to and from the server's IP in order for a port forward to work 
> behind a Captive Portal.

nope

> 10. If this is on a WAN that is not the default gateway, make sure there is a 
> gateway chosen on this WAN interface, or the firewall rules for the port 
> forward would not reply back via the correct gateway.

WAN is default gateway

> 11. If this is on a WAN that is not the default gateway, ensure the traffic 
> for the port forward is NOT passed in via Floating Rules or an Interface 
> Group. Only rules present on the WAN's interface tab under Firewall Rules 
> will have the reply-to keyword to ensure the traffic responds properly via 
> the expected gateway.

didn't configure floating rules

> 12. If this is on a WAN that is not the default gateway, make sure the 
> firewall rule(s) allowing the traffic in do not have the box checked to 
> disable reply-to.

not the case

> 13. If this is on a WAN that is not the default gateway, make sure the master 
> reply-to disable switch is not checked under System > Advanced, on the 
> Firewall/NAT tab.

not the case

> 14. WAN rules should NOT have a gateway set, so make sure that the rules for 
> the port forward do NOT have a gateway configured on the actual rule.

see

https://i.imgur.com/N7ulwha.png

> 15. If the traffic appears to be forwarding in to an unexpected device, it 
> may be happening due to UPnP. Check Status > UPnP to see if an internal 
> service has configured a port forward unexpectedly. If so, disable UPnP on 
> either that device or on the firewall. 

UPnP is not used

I guess I'm missing the obvious here, since port forwards are rather
straightforward in pfSense and have never given me troubles in the past. A
nudge in the right direction is appreciated.

Marco
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
_

Re: [pfSense] Port forwards don't work on one machine

2018-02-12 Thread Joseph L. Casale
-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Marco
Sent: Sunday, February 11, 2018 2:30 PM
To: list@lists.pfsense.org
Subject: Re: [pfSense] Port forwards don't work on one machine

> I ran a wireshark on the destination and it received packets when
> “port testing” from the pfSense, but not when using external access
> (e.g. canyouseeme.org)

So what does a tcpdump on the pfSense instance reveal when the
canyouseeme.org test runs?

Obviously this is not a problem with destination, several test you have
run prove this, and based on the clear statement above, the issue is
somehow related to just the pfSense instance.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Port forwards don't work on one machine

2018-02-12 Thread James Ronald
What is the default gateway of the destination (is there a route back to
pfSense)?

- Jim

On Mon, Feb 12, 2018 at 1:46 PM, Marco <li...@homerow.info> wrote:

> On Mon, 12 Feb 2018 11:59:09 -0600
> Steven Spencer <steven.spen...@kdsi.com> wrote:
>
> > On 02/12/2018 11:43 AM, Marco wrote:
> > > On Mon, 12 Feb 2018 10:21:08 -0600
> > > Steven Spencer <steven.spen...@kdsi.com> wrote:
> > >
> > >> On 02/11/2018 03:29 PM, Marco wrote:
> > >>> On Sun, 11 Feb 2018 20:46:41 +
> > >>> "Joseph L. Casale" <jcas...@activenetwerx.com> wrote:
> > >>>
> > >>>> -Original Message-
> > >>>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of
> > >>>> Chris L Sent: Sunday, February 11, 2018 1:43 PM
> > >>>> To: pfSense Support and Discussion Mailing List
> > >>>> <list@lists.pfsense.org> Subject: Re: [pfSense] Port forwards
> > >>>> don't work on one machine
> > >>>>
> > >>>>> What interface is that taken on? Take one on the interface the
> > >>>>> destination server is connected to (WLAN?) and test again. While
> > >>>>> you’re capturing also do another Diagnostics > Test Port from
> > >>>>> the local pfSense itself. Please include the capture of both
> > >>>>> events (from outside and using test port.)
> > >>>>>
> > >>>>> It looks like the server is not responding.
> > >>>> I'd also suggest running a capture on the destination, if it's
> > >>>> actually receiving traffic and/or sending it elsewhere (routing
> > >>>> rule) this will provide some insight.
> > >>> I ran a wireshark on the destination and it received packets when
> > >>> “port testing” from the pfSense, but not when using external
> > >>> access (e.g. canyouseeme.org)
> > >>>
> > >>> Marco
> > >>> ___
> > >>> pfSense mailing list
> > >>> https://lists.pfsense.org/mailman/listinfo/list
> > >>> Support the project with Gold! https://pfsense.org/gold
> > >> Marco,
> > >>
> > >> Just curious, but what is the target machine's OS?
> > > The actual server is FreeBSD, but I run the tests with a Linux
> > > laptop as the behaviour is the same.
> > >
> > > Marco
> > > ___
> > > pfSense mailing list
> > > https://lists.pfsense.org/mailman/listinfo/list
> > > Support the project with Gold! https://pfsense.org/gold
> >
> > I know you've stated that you have no firewall on these machines. So
> > iptables -L shows empty on the Linux laptop
>
>   Chain INPUT (policy ACCEPT)
>   target prot opt source   destination
>
>   Chain FORWARD (policy ACCEPT)
>   target prot opt source   destination
>
>   Chain OUTPUT (policy ACCEPT)
>   target prot opt source   destination
>
> > No selinux in play on the Linux
> > laptop
>
> No selinux in use.
>
> > I looked at your screen shots and I can't see anything that leaps
> > out at me. We have a number of PfSense firewalls in use (15)
> > within our organization and I've used port forwarding on every one
> > of them and have never run into a problem-unless the receiving
> > machine refuses the connection.
>
> Same here. Not that I'm a network expert, but I've set up five
> pfSense installations and port forwarding has always been an easy
> task which worked by just configuring the NAT rule.
>
> If the receiving machine refuses the connection, I would not be able
> to successfully "port test" it from the pfSense box and I would see
> incoming packets with wireshark (I believe). Therefore, I suspect an
> issue with the port forwarding.
>
> > I've been bitten by selinux before and more recently, by firewalld.
>
> Not installed and (therefore I hope) not used.
>
> Thanks for the support and confirming that it's not something
> obvious. Will investigate later.
>
> Marco
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Port forwards don't work on one machine

2018-02-12 Thread Marco
On Mon, 12 Feb 2018 11:59:09 -0600
Steven Spencer <steven.spen...@kdsi.com> wrote:

> On 02/12/2018 11:43 AM, Marco wrote:
> > On Mon, 12 Feb 2018 10:21:08 -0600
> > Steven Spencer <steven.spen...@kdsi.com> wrote:
> >  
> >> On 02/11/2018 03:29 PM, Marco wrote:  
> >>> On Sun, 11 Feb 2018 20:46:41 +
> >>> "Joseph L. Casale" <jcas...@activenetwerx.com> wrote:
> >>>
> >>>> -Original Message-
> >>>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of
> >>>> Chris L Sent: Sunday, February 11, 2018 1:43 PM
> >>>> To: pfSense Support and Discussion Mailing List
> >>>> <list@lists.pfsense.org> Subject: Re: [pfSense] Port forwards
> >>>> don't work on one machine
> >>>>
> >>>>> What interface is that taken on? Take one on the interface the
> >>>>> destination server is connected to (WLAN?) and test again. While
> >>>>> you’re capturing also do another Diagnostics > Test Port from
> >>>>> the local pfSense itself. Please include the capture of both
> >>>>> events (from outside and using test port.)
> >>>>>
> >>>>> It looks like the server is not responding.  
> >>>> I'd also suggest running a capture on the destination, if it's
> >>>> actually receiving traffic and/or sending it elsewhere (routing
> >>>> rule) this will provide some insight.
> >>> I ran a wireshark on the destination and it received packets when
> >>> “port testing” from the pfSense, but not when using external
> >>> access (e.g. canyouseeme.org)
> >>>
> >>> Marco
> >>> ___
> >>> pfSense mailing list
> >>> https://lists.pfsense.org/mailman/listinfo/list
> >>> Support the project with Gold! https://pfsense.org/gold
> >> Marco,
> >>
> >> Just curious, but what is the target machine's OS?  
> > The actual server is FreeBSD, but I run the tests with a Linux
> > laptop as the behaviour is the same.
> >
> > Marco
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold  
> 
> I know you've stated that you have no firewall on these machines. So
> iptables -L shows empty on the Linux laptop

  Chain INPUT (policy ACCEPT)
  target prot opt source   destination 

  Chain FORWARD (policy ACCEPT)
  target prot opt source   destination 

  Chain OUTPUT (policy ACCEPT)
  target prot opt source   destination 

> No selinux in play on the Linux
> laptop

No selinux in use.

> I looked at your screen shots and I can't see anything that leaps
> out at me. We have a number of PfSense firewalls in use (15)
> within our organization and I've used port forwarding on every one
> of them and have never run into a problem-unless the receiving
> machine refuses the connection.

Same here. Not that I'm a network expert, but I've set up five
pfSense installations and port forwarding has always been an easy
task which worked by just configuring the NAT rule.

If the receiving machine refuses the connection, I would not be able
to successfully "port test" it from the pfSense box and I would see
incoming packets with wireshark (I believe). Therefore, I suspect an
issue with the port forwarding.

> I've been bitten by selinux before and more recently, by firewalld.

Not installed and (therefore I hope) not used.

Thanks for the support and confirming that it's not something
obvious. Will investigate later.

Marco
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Port forwards don't work on one machine

2018-02-12 Thread Steven Spencer
On 02/12/2018 11:43 AM, Marco wrote:
> On Mon, 12 Feb 2018 10:21:08 -0600
> Steven Spencer <steven.spen...@kdsi.com> wrote:
>
>> On 02/11/2018 03:29 PM, Marco wrote:
>>> On Sun, 11 Feb 2018 20:46:41 +
>>> "Joseph L. Casale" <jcas...@activenetwerx.com> wrote:
>>>  
>>>> -Original Message-
>>>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of
>>>> Chris L Sent: Sunday, February 11, 2018 1:43 PM
>>>> To: pfSense Support and Discussion Mailing List
>>>> <list@lists.pfsense.org> Subject: Re: [pfSense] Port forwards don't
>>>> work on one machine
>>>>  
>>>>> What interface is that taken on? Take one on the interface the
>>>>> destination server is connected to (WLAN?) and test again. While
>>>>> you’re capturing also do another Diagnostics > Test Port from the
>>>>> local pfSense itself. Please include the capture of both events
>>>>> (from outside and using test port.)
>>>>>
>>>>> It looks like the server is not responding.
>>>> I'd also suggest running a capture on the destination, if it's
>>>> actually receiving traffic and/or sending it elsewhere (routing
>>>> rule) this will provide some insight.  
>>> I ran a wireshark on the destination and it received packets when
>>> “port testing” from the pfSense, but not when using external access
>>> (e.g. canyouseeme.org)
>>>
>>> Marco
>>> ___
>>> pfSense mailing list
>>> https://lists.pfsense.org/mailman/listinfo/list
>>> Support the project with Gold! https://pfsense.org/gold  
>> Marco,
>>
>> Just curious, but what is the target machine's OS?
> The actual server is FreeBSD, but I run the tests with a Linux
> laptop as the behaviour is the same.
>
> Marco
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

I know you've stated that you have no firewall on these machines. So
iptables -L shows empty on the Linux laptop and (sorry not familiar with
FreeBSD) and equiv on FreeBSD? No selinux in play on the Linux laptop or
at least if in play, policies are in use? I looked at your screen shots
and I can't see anything that leaps out at me. We have a number of
PfSense firewalls in use (15) within our organization and I've used port
forwarding on every one of them and have never run into a problem-unless
the receiving machine refuses the connection. I've been bitten by
selinux before and more recently, by firewalld.

Thanks,

Steven G. Spencer

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Port forwards don't work on one machine

2018-02-12 Thread Marco
On Mon, 12 Feb 2018 10:21:08 -0600
Steven Spencer <steven.spen...@kdsi.com> wrote:

> On 02/11/2018 03:29 PM, Marco wrote:
> > On Sun, 11 Feb 2018 20:46:41 +
> > "Joseph L. Casale" <jcas...@activenetwerx.com> wrote:
> >  
> >> -Original Message-
> >> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of
> >> Chris L Sent: Sunday, February 11, 2018 1:43 PM
> >> To: pfSense Support and Discussion Mailing List
> >> <list@lists.pfsense.org> Subject: Re: [pfSense] Port forwards don't
> >> work on one machine
> >>  
> >>> What interface is that taken on? Take one on the interface the
> >>> destination server is connected to (WLAN?) and test again. While
> >>> you’re capturing also do another Diagnostics > Test Port from the
> >>> local pfSense itself. Please include the capture of both events
> >>> (from outside and using test port.)
> >>>
> >>> It looks like the server is not responding.
> >> I'd also suggest running a capture on the destination, if it's
> >> actually receiving traffic and/or sending it elsewhere (routing
> >> rule) this will provide some insight.  
> > I ran a wireshark on the destination and it received packets when
> > “port testing” from the pfSense, but not when using external access
> > (e.g. canyouseeme.org)
> >
> > Marco
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold  
> 
> Marco,
> 
> Just curious, but what is the target machine's OS?

The actual server is FreeBSD, but I run the tests with a Linux
laptop as the behaviour is the same.

Marco
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Port forwards don't work on one machine

2018-02-11 Thread Ryan Coleman
That should be in the logs… 

> On Feb 11, 2018, at 6:48 PM, Joseph L. Casale <jcas...@activenetwerx.com> 
> wrote:
> 
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Marco
> Sent: Sunday, February 11, 2018 2:30 PM
> To: list@lists.pfsense.org
> Subject: Re: [pfSense] Port forwards don't work on one machine
> 
>> I ran a wireshark on the destination and it received packets when
>> “port testing” from the pfSense, but not when using external access
>> (e.g. canyouseeme.org)
> 
> Sounds like an ACL with a block or reject somewhere...
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Port forwards don't work on one machine

2018-02-11 Thread Joseph L. Casale
-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Marco
Sent: Sunday, February 11, 2018 2:30 PM
To: list@lists.pfsense.org
Subject: Re: [pfSense] Port forwards don't work on one machine

> I ran a wireshark on the destination and it received packets when
> “port testing” from the pfSense, but not when using external access
> (e.g. canyouseeme.org)

Sounds like an ACL with a block or reject somewhere...
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Port forwards don't work on one machine

2018-02-11 Thread Chris L


> On Feb 11, 2018, at 1:29 PM, Marco <li...@homerow.info> wrote:
> 
> On Sun, 11 Feb 2018 20:46:41 +
> "Joseph L. Casale" <jcas...@activenetwerx.com> wrote:
> 
>> -Original Message-
>> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris
>> L Sent: Sunday, February 11, 2018 1:43 PM
>> To: pfSense Support and Discussion Mailing List
>> <list@lists.pfsense.org> Subject: Re: [pfSense] Port forwards don't
>> work on one machine
>> 
>>> What interface is that taken on? Take one on the interface the
>>> destination server is connected to (WLAN?) and test again. While
>>> you’re capturing also do another Diagnostics > Test Port from the
>>> local pfSense itself. Please include the capture of both events
>>> (from outside and using test port.)
>>> 
>>> It looks like the server is not responding.  
>> 
>> I'd also suggest running a capture on the destination, if it's
>> actually receiving traffic and/or sending it elsewhere (routing rule)
>> this will provide some insight.
> 
> I ran a wireshark on the destination and it received packets when
> “port testing” from the pfSense, but not when using external access
> (e.g. canyouseeme.org)
> 

Are the packets going out pfSense LAN? To what MAC/IP address?

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Port forwards don't work on one machine

2018-02-11 Thread Marco
On Sun, 11 Feb 2018 20:46:41 +
"Joseph L. Casale" <jcas...@activenetwerx.com> wrote:

> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris
> L Sent: Sunday, February 11, 2018 1:43 PM
> To: pfSense Support and Discussion Mailing List
> <list@lists.pfsense.org> Subject: Re: [pfSense] Port forwards don't
> work on one machine
> 
> > What interface is that taken on? Take one on the interface the
> > destination server is connected to (WLAN?) and test again. While
> > you’re capturing also do another Diagnostics > Test Port from the
> > local pfSense itself. Please include the capture of both events
> > (from outside and using test port.)
> > 
> > It looks like the server is not responding.  
> 
> I'd also suggest running a capture on the destination, if it's
> actually receiving traffic and/or sending it elsewhere (routing rule)
> this will provide some insight.

I ran a wireshark on the destination and it received packets when
“port testing” from the pfSense, but not when using external access
(e.g. canyouseeme.org)

Marco
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Port forwards don't work on one machine

2018-02-11 Thread Marco
On Sun, 11 Feb 2018 12:42:34 -0800
Chris L  wrote:

> > On Feb 11, 2018, at 11:12 AM, Marco  wrote:
> > 
> > 6) Packet capture:
> > 
> >https://i.imgur.com/xT3qFXW.png  
> 
> What interface is that taken on?

WAN

> Take one on the interface the destination server is connected to
> (WLAN?) and test again.

done:

  https://i.imgur.com/CJbaVp6.png

The first two lines show the external IP access to the 8000 port,
then comes the pfSense port test.

> While you’re capturing also do another Diagnostics > Test Port
> from the local pfSense itself. Please include the capture of both
> events (from outside and using test port.)

done, see above.

> It looks like the server is not responding.

Why does this work then?:

  https://i.imgur.com/KcaSP6T.png

I can access it locally and pfSense can also access it. Testing from
my laptop now. Actual server is a real machine on another network.

Thanks for the quick response.

Marco
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Port forwards don't work on one machine

2018-02-11 Thread Joseph L. Casale
-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris L
Sent: Sunday, February 11, 2018 1:43 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] Port forwards don't work on one machine

> What interface is that taken on? Take one on the interface the destination
> server is connected to (WLAN?) and test again. While you’re capturing also
> do another Diagnostics > Test Port from the local pfSense itself. Please
> include the capture of both events (from outside and using test port.)
> 
> It looks like the server is not responding.

I'd also suggest running a capture on the destination, if it's actually 
receiving
traffic and/or sending it elsewhere (routing rule) this will provide some 
insight.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Port forwards don't work on one machine

2018-02-11 Thread Chris L


> On Feb 11, 2018, at 11:12 AM, Marco  wrote:
> 
> 6) Packet capture:
> 
>https://i.imgur.com/xT3qFXW.png

What interface is that taken on? Take one on the interface the destination 
server is connected to (WLAN?) and test again. While you’re capturing also do 
another Diagnostics > Test Port from the local pfSense itself. Please include 
the capture of both events (from outside and using test port.)

It looks like the server is not responding.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Port forwards don't work on one machine

2018-02-11 Thread Marco
Hi,

I have set up port forwarding multiple times in the past and it has always
worked. But I now have a machine that fails to forward a port. No clue why.
Maybe I'm missing the obvious here.

My network:

  Internet -> ISP provided “NAT device” -> pfSense (2.4.2-RELEASE-p1)

For debugging purposes I simplified the setup, turned off IDS, pfBlockerNG,
used IPs instead of aliases.

1) The port forward from the WAN to 10.0.30.21 is set up.

https://i.imgur.com/V8vlN1Z.png

2) A corresponding WAN rule is created as well:

https://i.imgur.com/N7ulwha.png

  On another machine this already is enough to get it working. But not on this
  one. Nmap shows “filtered”.

3) Confirming the port 8000 is actually open on 10.0.30.21:

https://i.imgur.com/KcaSP6T.png

  Yes, it is.

4) Now testing from the external IP:

https://i.imgur.com/QnWQuIO.png

  Nope!

  Again using an external service:

https://i.imgur.com/v4KaivE.png

  No, James!

5) States:

https://i.imgur.com/Rf1kjbf.png

6) Packet capture:

https://i.imgur.com/xT3qFXW.png


I read: https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

> Common Problems
> 
> 1. NAT and firewall rules not correctly added (see How can I forward ports 
> with pfSense?)

I guess it's all correct, works on another machine.

> Hint: Do NOT set a source port

not set

> 2. Firewall enabled on client machine

nope

> 3. Client machine is not using pfSense as its default gateway

pfSense is the default gateway

> 4. Client machine not actually listening on the port being forwarded

It is, see

  https://i.imgur.com/KcaSP6T.png

> 5. ISP or something upstream of pfSense is blocking the port being forwarded

I guess the states table and packet capture should be empty if that's the
case, right?

> 6. Trying to test from inside the local network, need to test from an outside 
> machine

Tested both, see

  https://i.imgur.com/QnWQuIO.png
  https://i.imgur.com/v4KaivE.png

> 7. Incorrect or missing Virtual IP configuration for additional public IP 
> addresses

No clue, haven't configured anything virtual.

> 8. The pfSense router is not the border router. If there is something else 
> between pfSense and the ISP, the port forwards and associated rules must be 
> replicated there.

True, pfSense is not the border router, ISP provided “NAT gateway” is. Device
is configured to forward everything to the pfSense box, though.

> 9. Forwarding ports to a server behind a Captive Portal. An IP bypass must be 
> added both to and from the server's IP in order for a port forward to work 
> behind a Captive Portal.

nope

> 10. If this is on a WAN that is not the default gateway, make sure there is a 
> gateway chosen on this WAN interface, or the firewall rules for the port 
> forward would not reply back via the correct gateway.

WAN is default gateway

> 11. If this is on a WAN that is not the default gateway, ensure the traffic 
> for the port forward is NOT passed in via Floating Rules or an Interface 
> Group. Only rules present on the WAN's interface tab under Firewall Rules 
> will have the reply-to keyword to ensure the traffic responds properly via 
> the expected gateway.

didn't configure floating rules

> 12. If this is on a WAN that is not the default gateway, make sure the 
> firewall rule(s) allowing the traffic in do not have the box checked to 
> disable reply-to.

not the case

> 13. If this is on a WAN that is not the default gateway, make sure the master 
> reply-to disable switch is not checked under System > Advanced, on the 
> Firewall/NAT tab.

not the case

> 14. WAN rules should NOT have a gateway set, so make sure that the rules for 
> the port forward do NOT have a gateway configured on the actual rule.

see

https://i.imgur.com/N7ulwha.png

> 15. If the traffic appears to be forwarding in to an unexpected device, it 
> may be happening due to UPnP. Check Status > UPnP to see if an internal 
> service has configured a port forward unexpectedly. If so, disable UPnP on 
> either that device or on the firewall. 

UPnP is not used

I guess I'm missing the obvious here, since port forwards are rather
straightforward in pfSense and have never given me troubles in the past. A
nudge in the right direction is appreciated.

Marco
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold