Port 80 not forwarding
-
So lets get your theory correct.. There is a "bug or problem" in pfsense that doesn't log traffic it sees but only on port 80..
Logs all other traffic, just not 80.. Does that make sense???
Or is it more likely that since your rule is not showing it has been evaluated. You have another rule or state that is handling the traffic that is set not to log.
Since for one - I just showed you it doing exactly what it suppose to do via my 30 second test to port 80..
And what the does that have to do with NOT seeing anything to 443?
-
@johnpoz 443 is totally not clear where the problem comes from but port 80 doesn't log although it is the highest floating rule with quick and was seen in the capture (other then 443), so at least this looks like a problem in my pfSense. And if one thing is not correct there might be others.
But if you have another opinion on port 80, let me know. I even reset the state table before testing.
And I didn't said that this is a general problem, I just said that, once again, my pfSense is hosed. And I might have to look elsewhere, I have to add, unless you have an explanation, because again, not the first time. I do run it virtually though, maybe part of the problem...
-
@bob-dig 1 thing that comes to mind that would cause exactly what your seeing is a port forward on 80.. That has a state created.
States are evaluated before rules.
So if there is a state open for 80, then now your new block/reject rule would not be evaluated, nor would that rule log any traffic.
You said you cleared states? Maybe it didn't clear? Maybe you cleared the wrong one?
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.7.2, 24.11 -
@johnpoz I did reset the whole state table. Also I did reboot pfSense now several times.
I also tried your test-site, giving the same results.
Also, for an incoming tcp connection on port 80 with a reject, do states really matter? But as you know, I have no greater knowledge about networking, I only do it for the fun, which I had plenty with pfSense so far. -
@bob-dig said in Port 80 not forwarding:
do states really matter?
Yes!!! States are evaluated before rules be it floating or on the interface.
-
@johnpoz Problem solved...
There is one thing done before Firewall rules and that is portforwards and I had one I had forgotten, pointing to a machine but with no firewallrules....I could slap myself and I will, ty John for your patience.
-
@bob-dig said in Port 80 not forwarding:
pointing to a machine but with no firewallrules....
That could cause it, but if you had no rule to allow it, it should of been logged by the default logging rule.
But your floating rule to wan address, wouldn't of triggered because the forward to evaluated and said to send to some internal IP, on some other port even..
edit: In all my years using pfsense and frequenting this board, when it comes to port forwarding. I can not recall an issue that was not PEBAC ;)
-
@johnpoz said in Port 80 not forwarding:
That could cause it, but if you had no rule to allow it, it should of been logged by the default logging rule.
That one I had disabled...
-
@bob-dig said in Port 80 not forwarding:
That one I had disabled...
So it should of been caught by the default logging.. Do you have that turned off?
When the state is being created, it still has to evaluate the rules to validate the traffic is allowed. If you had no rule to allow it, or the rule that allowed it was disabled then it should hit the default deny rule and be logged. Unless you disabled logging of the default deny.
-
@johnpoz said in Port 80 not forwarding:
Unless you disabled logging of the default deny.
I have this off because of to much noise, my pfSense is exposed so there is a lot. But for error seeking I should remember to turn it on from now on.
-
@johnpoz said in Port 80 not forwarding:
You don't need to have anything listening if your going to sniff to see if the traffic gets to psfense..
I done been hijacked! lol
I don't know what to tell you, but if I don't have anything running on my server to "accept" the packets (for lack of a better term), I get an instant 'connection refused' notice when I try the port check. If I start up SWAG or NPM, the port reads as open as expected.
I do see that you're referencing the packet sniffer, and I'm talking about the online port checker, so maybe we're talking about 2 different things?
All I know (very little!) is that my web services are not being exposed the way they're supposed to be, and I can't figure out why. It's really frustrating.
To be clear, I'm fairly sure it's an issue with the way I have things configured, not really a problem with pfsense, per se. As always, the issue is usually an ID10T-error. ;) -
@elmojo said in Port 80 not forwarding:
I done been hijacked! lol
You mean on the thread you hijacked?
My point is about having anything "listening" to know if the packets get to you., You do not need anything listening to know if the packets get to pfsense wan. Which before anything can be forwarded or not.
You can validate that port xyz can get to my wan IP without anything having to accept it. Or that it be forwarded. You just need to sniff on your wan while you send the traffic - do you see it or not. If you do not see it then no pfsense can not do anything with it.
-
@johnpoz said in Port 80 not forwarding:
You mean on the thread you hijacked?
Well, kinda, except that my post was several months after the last comment by the OP, so I felt pretty safe that I wasn't interrupting anything. lol
I see what you mean about sniffing the packets on the WAN, but that doesn't really tell me if the port is actually forwarded or not...does it? Only once I can run the port checker from an external web site and get an "okay, I see you" response, can I be sure it's really forwarded. At least that's the best I can do with my limited knowledge. I'm sure others (such as yourself) can check may other ways to see if the port is forwarding or not.
For those purposes, it seems that I must have a service running on my server side. I don't understand how that could be, maybe you can explain it? All I know is that it wasn't working until I turned on that docker, then it was.
-
@elmojo said in Port 80 not forwarding:
doesn't really tell me if the port is actually forwarded or not.
Nobody said it would.. But pfsense can not forward something it can not see. So if your having issues with port forwarding. Really the first thing to do is validate pfsense actually sees traffic to the port your wanting to forward.
okay, I see you" response,
Are you sure the answer came from you, or something upstream of pfsense? I could see one scenario right off the top.
You have a nat router in front of pfsense with its remote admin turned on, say port 443.. You go to can you see me, and check hey this IP im coming from, send syn to 443.. You get back OK, be pfsense never saw the traffic because your nat router in front of pfsense answered that, pfsense never saw it.
If you port forwarded something and its "NOT WORKING" then really the first thing to check is that pfsense actually saw the traffic in the first place. To check if pfsense can see inbound traffic to port xyz, you do not need anything listening or forwarded to check that aspect of it.
-
@johnpoz
I think I get you, but the whole point of this exercise is to verify that the ports are indeed open to the internet, so that whatever I do next (say, publish a web site) will actually work. I've been able to validate that pfsense is indeed seeing the incoming traffic, using the methods you taught me. The only issue now is why I have to have a live service running on the "inside" (server) in order for that port check to work. That's what's baffling me. According to everything you've said, and what I've read online from other sources, that shouldn't be necessary.As for the possibility of another device intercepting the traffic, I don't know what else it would be. The only thing plugged in upstream of my pfsense is my modem. It's a DSL router/modem, that's been bridged, so it really should be nothing but a simple modem at this point. I finally have pfsense accepting the PPPoE credentials, so I'm fairly sure that part if working. Is there a way to check that? The part about something else hijacking port 443, I mean.
Regardless, I am able to open both ports 80 and 443 successfully, IF I also spin up the container on my server that will use those ports, so the proceeding paragraph may be moot. lol
-
Wow, I kind of forgot about this thread sense I got really really sick with covid. after dying for about 4 weeks, I was able to get it working. It turned out pfsense was port forwarding properly, the testing websites I was using to see if the port forward was working was giving me false information. Pfsense works great, Port testing websites.. no so much. XD
-
@mr-traxson
Sorry to hear about your COVID battle. Glad you won! ;)
Which site(s) were you using to check ports? -
@elmojo I was using https://portchecker.co/
-
@mr-traxson
Ah. Yeah, that one has lead me astray in the past as well. canyouseeme or yougetsignal are the ones I typically use.
Glad to hear you got your issues all sorted out, both digital and medical. :) -
@elmojo said in Port 80 not forwarding:
That's what's baffling me. According to everything you've said, and what I've read online from other sources, that shouldn't be necessary.
Huh? I have no idea what your thinking... But to actually validate something got some traffic and ANSWERED it, you would have to have something listening for that traffic.
You can check that pfsense saw the traffic, and you can validate pfsense sent that traffic on where you told it too (via sniff on the lan side port). As long as there is an IP that pfsense can arp for where your trying to send it.
But if pfsense sends it on to that IP, and nothing listening there wouldn't be an answer.. Not unless the os is setup to send redirect, they nothing here listening on that IP. But normally OSes would not do that if the source IP is not local.. That bad to do if not a local IP.. Such a test is great that maybe your client your forwarding too is running a firewall, or its not using pfsense as its gateway, etc.
You could validate that where you sent it got it via doing a sniff on that device. But if you want some outside testing site to say hey something answered - then yes something would have to answer.
BTW testing UDP is going be nothing but problematic be it you have something answer or not - I wouldn't trust any outside testing site to give you a valid answer if your trying to test UDP.. You would need to see the sniff for the inbound traffic, and then see the outbound response..
