I’m running pfSense 2.4.5-RELEASE-p1 on a Protectli Vault 4 Port.
I’m attempting to access a ProxMox Admin Dashboard via 192.168.1.133:8006. Each time I try to access that IP:Port the connection times out.
I have Firewall Rules setup to open 8006, 22, 80, and 443. The documentation only requires that 8006 be open. Here is confirmation that the destination host is the correct IP address
When I monitor the Firewall logs I’m seeing odd behavior. I see 192.168.1.133:8006 trying to talk to various (unknown to me) ports.
That first rule is blocking local private networks, try moving up the 4th rule to 1st … There isn’t a problem accessing Proxmox, I have it running too without any issues. Personally I delete all the rules and add my own so I have some clue of what is going on.
Generally I add my allow rules then my reject rules, except for pfblocker which add their rules first.
I’d use an alias for those ports otherwise you end up with loads of rules when one can do the same job.
So did you create the NAT rules from the NAT tab in firewall—>NAT—>Port forward? If not then I would remove what you have in the WAN now and Try that and for now just allow any port to that server just to see if you can reach it. Then lock it down as you see fit. Also what outbound mode are you using?
Further to what @xMAXIMUSx says also double check Interfaces > LAN > Reserved Networks both check boxes are blank, I think those firewall rules are a result of this setting … there are some scenarios where these need to be enabled but in the usual case these are unmarked (at least in my setup)
xMAXIMUSx is correct.
If your trying to allow traffic from outside to come into your network you need to create what’s called a “Port Forward”.
Do this from the same “Firewall” menu, but go to NAT instead of Rules.
You should land on the “Port Forward” tab.
Create a new rule in there.
Select the interface which the traffic is landing on. This will most likely be your WAN interface.
Leave protocol as TCP, since your indicated that this uses TCP port 8006.
Destination Port range, type 8006 into both boxes. This means you have a destination range of 8006 to 8006
Redirect target is the private IP address of your internal server. So that’s 192.168.1.133
Redirect target port is 8006 again.
Make sure the “Filter Rule Association” is set to “Add Associated filter rule”. This will create the firewall rule that you created manually.
Then click save.
That should solve your problem.
If you need to make any changes later on, be sure to change this in the NAT screen and not the rules screen since any changes you make in the NAT/Port Forward screen will automatically update the associated filter rule too
This negates the need for you to remove the BOGON networks check boxes in the interface tab as well as removing the rules in your firewall to allow the traffic in. You want to leave those in place since they offer you some protection on your WAN side.