PfSense port forwarding issues

tgray96

[H]ard|Gawd
Joined
Dec 13, 2010
Messages
1,055
Ok guys, running PfSense 2.0.3 Release with Snort, Squid and Squidguard, and I cannot get port forwarding working for the life of me. Trying to forward the ports for my teamspeak 3 and minecraft server. Here is an example of how I have it setup. Under Firewall>Nat.Port Forwarding.

Disabled - Unchecked
No RDR - Unchecked
Interface - WAN
Protocol - UDP
Source-
Not - Unchecked
Type - Any
Destination-
Not - Unchecked
Type - Wan Address
Dest. Port Range-
from 9987
to 9987
redirect target ip: 10.0.0.242
redirect target port: 9987
description: ts3
No XMLEPC Sync - Unchecked
NAT Reflection - Use System Default
Filter Rule Association: Rule NAT ts3

Any Ideas?
 
Ensure you have both the NAT mapping AND matching firewall rule on the WAN interface. That's the first thing I'd check if you have not.

Typically what I like to do is make a NAT rule that is rather open, then in the firewall rule I will add specific restrictions like source IP if I only want certain IPs to have access.
 
Well, the firewall rule was created by the NAT mapping.
Here is the info from the firewall rule:
Action: Pass
Disabled: Unchecked
(Following options unable to be edited)
Interface: Wan
Protocol: UDP
Source
not - unchecked
type: any
Destination
not - unchecked
type: single host or alias
address: 10.0.0.242 /31
destination port range
from: blank
to: blank
log packets - unchecked
 
Can you post the pf.conf? Pfsense is good but can mickeymouse it a bit so it's good to see the actual config.
 
Depends on version, but :
The config file pfSense uses is not in the default location – /etc/pf.conf (this file is commented out) – but is at /tmp/rules.debug instead.

Please note that this file is automatically regenerated from /cf/conf/config.xml quite frequently.
 
https://support.teamspeakusa.com/in...6/which-ports-does-the-teamspeak-3-server-use
shows that UDP 9987 (voice), TCP 30033 (File Transfer), TCP 10011 (serverquery), and TCP 41144 (tsdns) are needed.
It also suggests TCP Port 2008 from accounting.teamspeak.com should not be blocked. This might be accomplished by forwarding, but might be best to simply create a firewall rule.

Create rules for all of the above, and then try it. If you don't want to use some, once you have it working go in and disable, then test.
Also, make sure you aren't restricting the outbound traffic (looks like specifically UDP 2010). The default pfSense (allow any) setup will allow it from the default LAN, but if you've changed it, we'd need to see your firewall rules.
 
set limit tables 3000
set optimization normal
set limit states 97000
set limit src-nodes 97000

#System aliases

loopback = "{ lo0 }"
WAN = "{ em0 }"
LAN = "{ em1 }"

#SSH Lockout Table
table <sshlockout> persist
table <webConfiguratorlockout> persist
#Snort tables
table <snort2c>

table <virusprot>

# User Aliases
table <gameserver> { 10.0.0.242 }
gameserver = "<gameserver>"

# Gateways
GWWAN = " route-to ( em0 71.48.88.1 ) "


set loginterface em1

set skip on pfsync0

scrub on $WAN all fragment reassemble
scrub on $LAN all fragment reassemble


no nat proto carp
no rdr proto carp
nat-anchor "natearly/*"
nat-anchor "natrules/*"


# Outbound NAT rules

# Subnets to NAT
tonatsubnets = "{ 10.0.0.0/24 127.0.0.0/8 }"
nat on $WAN from $tonatsubnets port 500 to any port 500 -> 71.48.94.234/32 port 500
nat on $WAN from $tonatsubnets to any -> 71.48.94.234/32 port 1024:65535


# Load balancing anchor
rdr-anchor "relayd/*"
# TFTP proxy
rdr-anchor "tftp-proxy/*"
table <negate_networks> { 71.48.88.0/21 10.0.0.0/24 }
# NAT Inbound Redirects
rdr on em0 proto udp from any to 71.48.94.234 port 9987 -> 10.0.0.242
rdr on em0 proto tcp from any to any port 10011 -> 10.0.0.242
rdr on em0 proto tcp from any to any port 30033 -> 10.0.0.242
rdr on em0 proto { tcp udp } from any to 10.0.0.1 port 25565 -> 10.0.0.242
rdr on em0 proto { tcp udp } from any to 10.0.0.1 port 8080 -> 10.0.0.242

# Setup Squid proxy redirect
rdr on em1 proto tcp from any to !(em1) port 80 -> 127.0.0.1 port 3128

# UPnPd rdr anchor
rdr-anchor "miniupnpd"

anchor "relayd/*"
#---------------------------------------------------------------------------
# default deny rules
#---------------------------------------------------------------------------
block in log all label "Default deny rule"
block out log all label "Default deny rule"

# We use the mighty pf, we cannot be fooled.
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

# Block all IPv6
block in quick inet6 all
block out quick inet6 all

# Snort package
block quick from <snort2c> to any label "Block snort2c hosts"
block quick from any to <snort2c> label "Block snort2c hosts"

# SSH lockout
block in log quick proto tcp from <sshlockout> to any port 22 label "sshlockout"

# webConfigurator lockout
block in log quick proto tcp from <webConfiguratorlockout> to any port 80 label "webConfiguratorlockout"
block in quick from <virusprot> to any label "virusprot overload table"
table <bogons> persist file "/etc/bogons"
# block bogon networks
# http://www.cymru.com/Documents/bogon-bn-nonagg.txt
block in log quick on $WAN from <bogons> to any label "block bogon networks from WAN"
antispoof for em0
# block anything from private networks on interfaces with the option set
antispoof for $WAN
block in log quick on $WAN from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
block in log quick on $WAN from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
block in log quick on $WAN from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
block in log quick on $WAN from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
# allow our DHCP client out to the WAN
pass in on $WAN proto udp from any port = 67 to any port = 68 label "allow dhcp client out WAN"
pass out on $WAN proto udp from any port = 68 to any port = 67 label "allow dhcp client out WAN"
# Not installing DHCP server firewall rules for WAN which is configured for DHCP.
antispoof for em1
# allow access to DHCP server on LAN
pass in quick on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in quick on $LAN proto udp from any port = 68 to 10.0.0.1 port = 67 label "allow access to DHCP server"
pass out quick on $LAN proto udp from 10.0.0.1 port = 67 to any port = 68 label "allow access to DHCP server"

# loopback
pass in on $loopback all label "pass loopback"
pass out on $loopback all label "pass loopback"
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out all keep state allow-opts label "let out anything from firewall host itself"
pass out route-to ( em0 71.48.88.1 ) from 71.48.94.234 to !71.48.88.0/21 keep state allow-opts label "let out anything from firewall host itself"
# make sure the user cannot lock himself out of the webConfigurator or SSH
pass in quick on em1 proto tcp from any to (em1) port { 80 22 } keep state label "anti-lockout rule"

# User-defined rules follow

anchor "userrules/*"
pass in quick on $LAN from 10.0.0.0/24 to any keep state label "USER_RULE: Default allow LAN to any rule"
pass in quick on $WAN reply-to ( em0 71.48.88.1 ) proto udp from any to 10.0.0.242 port 9987 keep state label "USER_RULE: NAT ts31"

# VPN Rules
anchor "tftp-proxy/*"

# Setup squid pass rules for proxy
pass in quick on em1 proto tcp from any to !(em1) port 80 flags S/SA keep state
pass in quick on em1 proto tcp from any to !(em1) port 3128 flags S/SA keep state

Here ya guys go.. Thanks in advance
 
Screenshots of? I have no issues getting them. Just need an idea of what to actually screenshot...
 
The NAT and firewall rules.

Dumb question but is it allowed through the PC firewall?
 
@ /usr/home Ok, I will grab them in a bit, its running on a linux box, with iptables disabled for testing.

@RocketTech No clue, they were enabled immediately.
 
@ /usr/home Ok, I will grab them in a bit, its running on a linux box, with iptables disabled for testing.

@RocketTech No clue, they were enabled immediately.

Did you inherit this from someone? Snort, squid, and squidguard aren't even part of the default install, much less activated on a new default install.
 
port forwarding in pfSense is broken and they refuse to admit it... it breaks SIP also...

just google SIP pfSense
 
SIP is a completely other story, it's pretty much impossible to get it working without openning insanly large ranges or if you get lucky find a proxy that plays nice with your provider and hardware. Doesn't matter if its pfsense, iptables etc
//Danne
 
Last edited:
nat1ErZS.png

nat2.png

firewall1.png

firewall3.png

firewall4.png
 
Last edited:
Port forwarding is not broken in pfSense, it merely employs port randomization by default. To avoid this, for example for SIP, on the Outbound NAT tab, change the mode to Manual Outbound NAT.

I suggest disabling Snort, Squid, and SquidGuard. Make sure your simple configuration is working first. I'm not sure why you would want to deal with a proxy filter before even confirming your connections are working right.
The Rule and NAT looks OK.
 
SIP is a completely other story, it's pretty much impossible to get it working without openning insanly large ranges or if you get lucky find a proxy that plays nice with your provider and hardware. Doesn't matter if its pfsense, iptables etc
//Danne

yet it works fine with a $30 linksys router? I call that broken
 
It works because you don't block outbound ports by default on a 30$ router...
//Danne
 
Back
Top