pfSense not forwarding back packets

Question

I have a pfSense box setup where my WAN interface (em0) is set up in my local network (192.168.1.100) and my LAN interface (em1) is a private network of its own (10.0.0.1). The end goal is to have the 10.0.0.x network as private malware lab where devices on that network cannot talk to anything on the 192.168.1.x network directly. Though, I would like to punch holes in the pfSense firewall to allow traffic from 192.168.1.x network to access services in the private network, such as FTP, HTTP, SMB, SSH, etc. So if I FTP to 192.168.1.100 (WAN interface) then it'll route though to the FTP server running on a device internal to 10.0.0.x. Currently I can see that my FTP server gets a TCP SYN packet, but nothing else happens.

And I can see some FTP traffic through pfSense with tcpdump.

Here's my NAT port forwarding rules (they also have an associated filter rule).

And also if it's helpful, my LAN firewall rules as well.

I thought that maybe there was an error with my blocking rules to block 192.168.1.x traffic from the 10.0.0.x network, but I have that rule disabled. I'm at a total loss and don't understand what is going wrong, so any help would be super appreciated!

Could you ssh into your pfsense box and do something to the effect of 'tcpdump -netvi pflog0' and then try to access these services? That should show whether you're blocking or not. — qovert, Aug 24 '15 at 20:29
Stupid question but do you have the default gateway set to the pfSense LAN interface on your FTP server? Also, I would suggest using multiple LAN interfaces on pfsense and just routing between your networks without NAT. You can still use the firewall and other security features but won't need to mess around with port forwarding, unless this is your specific goal. — tomstephens89, Aug 26 '15 at 16:17
Try replacing the LAN Net/WAN Net/Wan Address with the actual addresses. I had a problem in the past when they didn't behave as expected — Drifter104, Aug 28 '15 at 10:06

score 1 · Answer 1 · answered Aug 27 '15 at 20:17

The Wireshark screenshot on the FTP server is interesting -- the lack of a response suggests that it either can't (routing/NAT issues) or won't (firewall) respond. My ideas:

Does the FTP server have a local firewall (check with iptables -L -vn) dropping any traffic? If iptables's INPUT or OUTPUT chains have the DROP policy but you don't have rules allowing FTP traffic and related/established connections in and out, that would be a problem.
Does traffic to the SSH and HTTP ports (provided those services are running) suffer the same fate as FTP traffic? I'm no expert, but FTP often uses multiple ports (20 and 21), so it might be good to rule out weird behavior specific to FTP.
Can you get a TCP connection from another machine on the 10.0.0.x subnet to the FTP server? Can any traffic from the FTP server get out to the 192.168.1.x network? If traffic within the 10.0.0.x subnet is behaving properly but no traffic can get out, there may be an issue with routing, NAT, or firewall settings on the pfSense box.

1. No iptable entries on the FTP server 2. They both were getting caught by pfsense so I figured I'd use a service that wasn't in use by pfsense. But even if I just use `ncat` to try to make a connection over random ports, still doesn't work. — Chiggins, Sep 09 '15 at 18:29

score 0 · Answer 2 · answered Aug 27 '15 at 08:15

Though you say you are receiving TCP SYN packet but i think you should have a firewall rule on WAN interface to allow port 21 (FTP) to go to the LAN interface i.e. em1.
FTP server should have default gateway of 10.0.0.1.
Also check if the outbound NAT rule is set on Automatic. If its not than you experience routing problem with packets returning from FTP.
At pfsense > Diagnostics > ARP table should tell you whether FTP server is reachable via pfsense. Better start with allowing ICMP packets onto a device on private network and start tracing from there. Trace route should also help finding where your packets get lost.

sam_pan_mariusz · Answer 3 · 2015-08-28T11:13:46.250

pfSense has a special support for FTP protocol, which affects both active and passive modes. My experience is that it only complicates (otherwise usually simple) DNAT configuration for passive mode. I could only make passive mode working anyway, with the steps below.

Go to System: Advanced: System Tunables (.../system_advanced_sysctl.php) page. Set 1 for debug.pfftpproxy option, to disable the pf FTP proxy handler. Now, setup your FTP server to use a specific ports range for data and forward these in addition to TCP/21.

However, whenever possible, avoid FTP protocol at all. There're alternatives like SCP, more secure by nature (SSH based), allowing more authentication options and without all the active/passive/NAT/multiport burden.

score 0 · Answer 4 · answered Aug 29 '15 at 05:16

0

Assuming the addressing provided is what you have in place - do you have block private networks enabled on the WAN interface (em0) ? I believe this is a default setting along with block bogan networks.

https://i.stack.imgur.com/boREK.png

answered Aug 29 '15 at 05:16

scottmc

11
2

No private or bogan networks are blocked. – Chiggins Sep 09 '15 at 18:33

pfSense not forwarding back packets

4 Answers4