Unable to access internal server

I’m running pfSense 2.4.5-RELEASE-p1 on a Protectli Vault 4 Port.

I’m attempting to access a ProxMox Admin Dashboard via 192.168.1.133:8006. Each time I try to access that IP:Port the connection times out.

I have Firewall Rules setup to open 8006, 22, 80, and 443. The documentation only requires that 8006 be open. Here is confirmation that the destination host is the correct IP address

When I monitor the Firewall logs I’m seeing odd behavior. I see 192.168.1.133:8006 trying to talk to various (unknown to me) ports.

  • Do I allow these ports and see if that works?
  • Is there a step I’m missing that I should have setup/configured in the firewall?

Any/All help is greatly appreciated.

Here is confirmation of the correct IP Address. This is the ProxMox host I’m trying to access.

Here are my exact Firewall rules.

That first rule is blocking local private networks, try moving up the 4th rule to 1st … There isn’t a problem accessing Proxmox, I have it running too without any issues. Personally I delete all the rules and add my own so I have some clue of what is going on.

Generally I add my allow rules then my reject rules, except for pfblocker which add their rules first.

I’d use an alias for those ports otherwise you end up with loads of rules when one can do the same job.

Ok, I removed that rule from each Interface. But I’m still unable to access to server. I’m also seeing odd errors in the logs again:

The logs are referencing a 1000000103 which that rule doesn’t exist in my table. Am I missing something?

Here are my current LAN rules:

So did you create the NAT rules from the NAT tab in firewall—>NAT—>Port forward? If not then I would remove what you have in the WAN now and Try that and for now just allow any port to that server just to see if you can reach it. Then lock it down as you see fit. Also what outbound mode are you using?

Further to what @xMAXIMUSx says also double check Interfaces > LAN > Reserved Networks both check boxes are blank, I think those firewall rules are a result of this setting … there are some scenarios where these need to be enabled but in the usual case these are unmarked (at least in my setup)

xMAXIMUSx is correct.
If your trying to allow traffic from outside to come into your network you need to create what’s called a “Port Forward”.
Do this from the same “Firewall” menu, but go to NAT instead of Rules.
You should land on the “Port Forward” tab.
Create a new rule in there.
Select the interface which the traffic is landing on. This will most likely be your WAN interface.
Leave protocol as TCP, since your indicated that this uses TCP port 8006.
Destination Port range, type 8006 into both boxes. This means you have a destination range of 8006 to 8006
Redirect target is the private IP address of your internal server. So that’s 192.168.1.133
Redirect target port is 8006 again.
Make sure the “Filter Rule Association” is set to “Add Associated filter rule”. This will create the firewall rule that you created manually.
Then click save.

That should solve your problem.
If you need to make any changes later on, be sure to change this in the NAT screen and not the rules screen since any changes you make in the NAT/Port Forward screen will automatically update the associated filter rule too :slight_smile:

This negates the need for you to remove the BOGON networks check boxes in the interface tab as well as removing the rules in your firewall to allow the traffic in. You want to leave those in place since they offer you some protection on your WAN side.

There shouldn’t be any need to forward port 8006 to access Proxmox internally.

My bad everyone! Thanks for offering all the advice/tips @neogrid @ad4m1 and others (can’t tag more than two people I guess my account is too new)

The problem ended up being that the ProxMox host had the incorrect Subnet Mask. I updated that, recycled the server and it worked like a charm.

Thanks so much for all the help - sorry this was a bonehead newb issue.

1 Like