OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: jarif on November 13, 2017, 11:22:54 pm

Title: I have a problem with port forwarding
Post by: jarif on November 13, 2017, 11:22:54 pm
This must have been working at some stage, as I have multiple rules for port forwarding and I have been happy. But it does not work.

I try to connect from external site to a LAN box via OPNsense, and there are rules for port forward and firewall to make it happen.

But when I try that, the connection is said to be timeout.

Setup

- external client: 138.201.119.25 (www)
- router (OPNsense) (wellington)
- internal LAN host: 192.168.1.122 (gauntlet)

Attempt

[jarif@www ~]$ curl -v http://86.115.205.131
* About to connect() to 86.115.205.131 port 80 (#0)
*   Trying 86.115.205.131...
* Connection timed out
* Failed connect to 86.115.205.131:80; Connection timed out
* Closing connection 0
curl: (7) Failed connect to 86.115.205.131:80; Connection timed out


But the fireall does not block!

Firewall log tells me that the connection attempts were passed! Is it the port forwarding then?

Doing tcpdump of the LAN host

jarif@gauntlet ~ $ sudo tcpdump -A dst port 80 or src port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
00:10:41.819431 IP mail.bitwell.biz.39245 > gauntlet.fredriksson.dy.fi.http: Flags , seq 3235046049, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E..4..@.4.....w....z.M.P..........r.................
00:10:41.819734 IP gauntlet.fredriksson.dy.fi.http > mail.bitwell.biz.39245: Flags [S.], seq 1906184929, ack 3235046050, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E..4..@.@.v....z..w..P.Mq.........r..+..............
00:10:42.821411 IP mail.bitwell.biz.39245 > gauntlet.fredriksson.dy.fi.http: Flags , seq 3235046049, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E .4..@.4.....w....z.M.P..........r.................
00:10:42.821618 IP gauntlet.fredriksson.dy.fi.http > mail.bitwell.biz.39245: Flags [S.], seq 1906184929, ack 3235046050, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E..4..@.@.v....z..w..P.Mq.........r..+..............
00:10:43.826671 IP gauntlet.fredriksson.dy.fi.http > mail.bitwell.biz.39245: Flags [S.], seq 1906184929, ack 3235046050, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E..4..@.@.v....z..w..P.Mq.........r..+..............
00:10:44.827337 IP mail.bitwell.biz.39245 > gauntlet.fredriksson.dy.fi.http: Flags , seq 3235046049, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E..4..@.4.....w....z.M.P..........r.................
00:10:44.827588 IP gauntlet.fredriksson.dy.fi.http > mail.bitwell.biz.39245: Flags [S.], seq 1906184929, ack 3235046050, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E..4..@.@.v....z..w..P.Mq.........r..+..............
00:10:46.866648 IP gauntlet.fredriksson.dy.fi.http > mail.bitwell.biz.39245: Flags [S.], seq 1906184929, ack 3235046050, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E..4..@.@.v....z..w..P.Mq.........r..+..............
00:10:48.835362 IP mail.bitwell.biz.39245 > gauntlet.fredriksson.dy.fi.http: Flags , seq 3235046049, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E..4..@.4.....w....z.M.P..........r.................
00:10:48.835588 IP gauntlet.fredriksson.dy.fi.http > mail.bitwell.biz.39245: Flags [S.], seq 1906184929, ack 3235046050, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
E..4..@.@.v....z..w..P.Mq.........r..+..............
00:11:19.429732 IP gauntlet.fredriksson.dy.fi.43405 > mail.bitwell.biz.http: Flags [.], ack 3695803675, win 1024, length 0
E..(\Q..7.cz...z..w....P.....I}.P.......
00:11:19.471313 IP mail.bitwell.biz.http > gauntlet.fredriksson.dy.fi.43405: Flags [R], seq 3695803675, win 0, length 0
E..(..@.4.....w....z.P...I}.....P.............
00:11:21.614267 IP gauntlet.fredriksson.dy.fi.43661 > mail.bitwell.biz.http: Flags , seq 2603470522, win 1024, options [mss 1460], length 0
E..,.7../......z..w....P.-......`....[......
00:11:21.664992 IP mail.bitwell.biz.http > gauntlet.fredriksson.dy.fi.43661: Flags [S.], seq 3444674754, ack 2603470523, win 29200, options [mss 1460], length 0
E..,..@.4.....w....z.P...Q...-..`.r..%........
00:11:21.665209 IP gauntlet.fredriksson.dy.fi.43661 > mail.bitwell.biz.http: Flags [R], seq 2603470523, win 0, length 0
E..(.=@.@......z..w....P.-......P.......


That is the output while doing curl connection on www.

The line is not dead, blocked or anything, but no tcp socket will be opened!

Is the web server dead on Gauntlet?

I don't think so. To see that I log in to OPNsense

jarif@gauntlet ~ $ ssh wellington
X11 forwarding request failed on channel 0
Last login: Tue Nov 14 00:16:42 2017 from 192.168.1.122
----------------------------------------------
|      Hello, this is OPNsense 17.7          |         @@@@@@@@@@@@@@@
|                                            |        @@@@         @@@@
| Website:   https://opnsense.org/        |         @@@\\\   ///@@@
| Handbook:   https://docs.opnsense.org/   |       ))))))))   ((((((((
| Forums:   https://forum.opnsense.org/  |         @@@///   \\\@@@
| Lists:   https://lists.opnsense.org/  |        @@@@         @@@@
| Code:      https://github.com/opnsense  |         @@@@@@@@@@@@@@@
----------------------------------------------
jarif@wellington:~ % curl -v http://192.168.1.122
* Rebuilt URL to: http://192.168.1.122/
*   Trying 192.168.1.122...
* TCP_NODELAY set
* Connected to 192.168.1.122 (192.168.1.122) port 80 (#0)
> GET / HTTP/1.1
> Host: 192.168.1.122
> User-Agent: curl/7.56.1
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Date: Mon, 13 Nov 2017 22:17:23 GMT
< Server: Apache/2.4.25 (Raspbian)
< WWW-Authenticate: Basic realm="Bacula"
< Content-Length: 462
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
<hr>
<address>Apache/2.4.25 (Raspbian) Server at 192.168.1.122 Port 80</address>
</body></html>
* Connection #0 to host 192.168.1.122 left intact


I'm really puzzled with this! Any ideas?

The NAT-rule is:

(https://static.bitwell.biz/images/opnsense-nat-rule.png)