pfSense not forwarding back packets
The Wireshark screenshot on the FTP server is interesting -- the lack of a response suggests that it either can't (routing/NAT issues) or won't (firewall) respond. My ideas:
- Does the FTP server have a local firewall (check with
iptables -L -vn) dropping any traffic? If iptables'sINPUTorOUTPUTchains have theDROPpolicy but you don't have rules allowing FTP traffic and related/established connections in and out, that would be a problem. - Does traffic to the SSH and HTTP ports (provided those services are running) suffer the same fate as FTP traffic? I'm no expert, but FTP often uses multiple ports (20 and 21), so it might be good to rule out weird behavior specific to FTP.
- Can you get a TCP connection from another machine on the 10.0.0.x subnet to the FTP server? Can any traffic from the FTP server get out to the 192.168.1.x network? If traffic within the 10.0.0.x subnet is behaving properly but no traffic can get out, there may be an issue with routing, NAT, or firewall settings on the pfSense box.
Related videos on Youtube
07 : 35
02 : 29
08 : 17
01 : 11 : 15
01 : 03 : 43
Chiggins
PHP, C#, Android, Java, C++, Qt, HTML, CSS, Javascript, SQL, Linux, IIS, Apache
Updated on September 18, 2022Comments
-
Chiggins over 1 year
I have a pfSense box setup where my WAN interface (em0) is set up in my local network (192.168.1.100) and my LAN interface (em1) is a private network of its own (10.0.0.1). The end goal is to have the 10.0.0.x network as private malware lab where devices on that network cannot talk to anything on the 192.168.1.x network directly. Though, I would like to punch holes in the pfSense firewall to allow traffic from 192.168.1.x network to access services in the private network, such as FTP, HTTP, SMB, SSH, etc. So if I FTP to 192.168.1.100 (WAN interface) then it'll route though to the FTP server running on a device internal to 10.0.0.x. Currently I can see that my FTP server gets a TCP SYN packet, but nothing else happens.
And I can see some FTP traffic through pfSense with tcpdump.
Here's my NAT port forwarding rules (they also have an associated filter rule).
And also if it's helpful, my LAN firewall rules as well.
I thought that maybe there was an error with my blocking rules to block 192.168.1.x traffic from the 10.0.0.x network, but I have that rule disabled. I'm at a total loss and don't understand what is going wrong, so any help would be super appreciated!
-
Admin over 8 yearsCould you ssh into your pfsense box and do something to the effect of 'tcpdump -netvi pflog0' and then try to access these services? That should show whether you're blocking or not. -
Admin over 8 yearsStupid question but do you have the default gateway set to the pfSense LAN interface on your FTP server? Also, I would suggest using multiple LAN interfaces on pfsense and just routing between your networks without NAT. You can still use the firewall and other security features but won't need to mess around with port forwarding, unless this is your specific goal.
-
Admin over 8 yearsTry replacing the LAN Net/WAN Net/Wan Address with the actual addresses. I had a problem in the past when they didn't behave as expected
-
-
Chiggins over 8 years1. No iptable entries on the FTP server 2. They both were getting caught by pfsense so I figured I'd use a service that wasn't in use by pfsense. But even if I just use
ncatto try to make a connection over random ports, still doesn't work. -
Chiggins over 8 yearsNo private or bogan networks are blocked.