Port Forwarding to pfSense in the DMZ of Another Router

I have a pfSense VM set up in the DMZ of my isp’s router. I have been having some trouble with port forwarding with the pfSense router. I am trying to forward for ssh but because I have another machine set up on the default port I chose a different port but I can’t get the port forwarding working.

What I’ve tried:

  • Confirmed the ssh is working inside the network
  • Moved the machine to the ISP router’s network and got the port working there
  • I’ve tried setting the port in of the ssh server to the port I want to use and setting it to the default port 22 with the NAT rule forwarding the port I want to use to port 22 on the machine.
  • Checked canyouseeme.org and it doesn’t detect the port.

I read the documentation on the ISP’s router and it says any port that doesn’t have an existing rule is forwarded to the DMZ. I do have port 80 set up to forward on my pfSense router to a windows server VM and canyouseeme.org shows port 80 is working.

Is there something I missed? What more can I do to troubleshoot the issue?

A lot of routers’ DMZ settings are basically just forwarding all ports to an IP address inside your network. If your pfSense’s WAN interface is getting an internal IP address (192.168.x.x, 172.16.x.x, 10.x.x.x), you need to allow private networks on your WAN interface.

Interfaces -> WAN -> Aaaaalllllll the way at the bottom. It’s a checkbox. It needs to be unchecked.

Yeah that box is unchecked.

What I did to get port forwarding to work, was enable it only on a specific ip that I assigned to a device with a Mac address. You can find these settings in upnp & nat PNP settings under the services tab. It’s a lot easier (and safer) to allow a range of forwarded ports available to a specific device, than enabling it across the board for anything connected. A port range also allows devices to choose their preferred port (in your case, 80) without you having to specify it yourself.

Drat. Your next course of action is to watch the firewall logs while you attempt to connect from the outside world. My hope is you’ll get a deny entry in the logs. Just to confirm, you’ve got the NAT entry, and you also have a Rule in place to allow access to the external port?

If you get nothing on the firewall, head to Diagnostics -> Packet Capture. Listen on the WAN, and the external port, have it start listening, and then try to connect. Once you’re done trying to connect, see if you captured any packets. If you got nothing, then we need to investigate the DMZ settings on the router.

Have you checked the firewall logs on the pfsense VM?

the firewall may be eating the ssh traffic due to “NAT Fuckery”

also, is the Host OS running the VM handing off network traffic to the vm through NAT, or like a direct hardware handoff to the VM?

I get a strong feeling there is some sort of NAT Fuckery afoot.

I didn’t see anything on the logs but I tried the packet capture and it showed up there. Does that mean there is a problem with the rules? As far as the VM network set up I have a physical for pfSense from the ISP router then the LAN goes into a virtual switch with the other VM i’m trying to ssh into.

That’s really interesting. If you’re not seeing anything in the firewall log, I would presume that it’s going through. Can you post screenshots of your rule and NAT entries?

Also for a fun next step, in the console of your VM, run tcpdump, and then ssh in from the outside again. Just to see if the packets are getting as far as your VM. That would tell us if the VM is doing something crazy with the packets from the outside world.

check the ssh config & firewall rules on the machine you’re trying to get into, it sort of sounds like you’ve got it set to only allow ssh traffic from the local subnet.

firewall may be set to not log or silently drop certain stuff (if you log everything dropped/rejected, pretty much anything with any sort of ports open facing the internet will have logfiles in the hundreds of megabytes or gigabytes within a couple weeks)

edit- this points to it not being ssh/firewall is only allowing local traffic, but if pfsense is seeing the inbound ssh traffic, that means the forwarding is broken/misconfigured or double NAT (ISP Router + pfsense) is causing the traffic to get dropped by the machine you’re trying to connect to.

thinking through this i’m 90% sure this is nat fuckery.