Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't get port forward to work correctly.

    Scheduled Pinned Locked Moved NAT
    31 Posts 4 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      viragomann @lolipoplo
      last edited by

      @lolipoplo said in Can't get port forward to work correctly.:

      if you have port forwarding working, outbound NAT doesn't matter.

      Some programs need this like several games. Maybe QBittorrent as well. I don't know how it works, as I mentioned above.
      But it's for sure that QBittorrent also make upstream connections and these have nothing to do with forwarding at all.

      So a presume, you're knowing well QBittorrent and can possibly give more reliable infos.

      U 1 Reply Last reply Reply Quote 0
      • U
        undertaker666 @viragomann
        last edited by

        @viragomann @lolipoplo said in Can't get port forward to work correctly.:

        tcpdump -nettti pflog0 port 8010 and then run an external syn scan on 8010

        Actually, once I turned off pfBlockerNG, parsec managed to connect to a host game. So those ports are fine.

        The problem is with the torrent, it's better, it's actually seeding now, and it actually reached 300 KB/s, but it does not stay at those speeds, and there's more downtime than actual seeding.

        Maybe QBittorrent as well

        Well, I already had outbound set up, so that's not what's stopping it. The question is why is pfBlockerNG ignoring the rule order, and even with it turned off, why are connections not sticking as they used to?

        L 1 Reply Last reply Reply Quote 0
        • L
          lolipoplo @undertaker666
          last edited by

          @undertaker666
          So have you tried pflog as I suggested?

          Actually run tcpdump on wan port at the same time to compare incoming and rule matching

          U 1 Reply Last reply Reply Quote 0
          • U
            undertaker666 @lolipoplo
            last edited by

            @lolipoplo No, because you suggested running the tcpdump on the parsec port, and that is solved by just turning off pfBlockerNG.

            I could run the tcpdump on the qbittorrent port and see what happens.

            U 1 Reply Last reply Reply Quote 0
            • U
              undertaker666 @undertaker666
              last edited by undertaker666

              @undertaker666

              tcpdump -nettti pppoe0 port 59372 -vv
tcpdump: listening on pppoe0, link-type NULL (BSD loopback), capture size 262144 bytes
 00:00:00.000000 AF IPv4 (2), length 56: (tos 0x2,ECT(0), ttl 63, id 28582, offset 0, flags [none], proto TCP (6), length 52)
    My-WAN.31533 > 172.16.1.0.59372: Flags [SEW], cksum 0xbecc (correct), seq 2428356104, win 62720, options [mss 8960,nop,wscale 8,nop,nop,sackOK], length 0
 00:00:00.013465 AF IPv4 (2), length 48: (tos 0x2,ECT(0), ttl 254, id 6409, offset 0, flags [DF], proto TCP (6), length 44)
    172.16.1.0.59372 > My-WAN.31533: Flags [S.], cksum 0x9772 (correct), seq 4044710442, ack 2428356105, win 4200, options [mss 1400], length 0
 00:00:00.000241 AF IPv4 (2), length 44: (tos 0x0, ttl 63, id 28583, offset 0, flags [none], proto TCP (6), length 40)
    My-WAN.31533 > 172.16.1.0.59372: Flags [.], cksum 0xc3ca (correct), seq 1, ack 1, win 64400, length 0
 00:00:00.003992 AF IPv4 (2), length 205: (tos 0x0, ttl 63, id 28584, offset 0, flags [none], proto TCP (6), length 201)
    My-WAN.31533 > 172.16.1.0.59372: Flags [P.], cksum 0xc832 (correct), seq 1:162, ack 1, win 64400, length 161
 00:00:00.302961 AF IPv4 (2), length 205: (tos 0x0, ttl 63, id 28585, offset 0, flags [none], proto TCP (6), length 201)
    My-WAN.31533 > 172.16.1.0.59372: Flags [P.], cksum 0xc832 (correct), seq 1:162, ack 1, win 64400, length 161
 00:00:00.394904 AF IPv4 (2), length 205: (tos 0x0, ttl 63, id 28586, offset 0, flags [none], proto TCP (6), length 201)
    My-WAN.31533 > 172.16.1.0.59372: Flags [P.], cksum 0xc832 (correct), seq 1:162, ack 1, win 64400, length 161
 00:00:00.699004 AF IPv4 (2), length 205: (tos 0x0, ttl 63, id 28587, offset 0, flags [none], proto TCP (6), length 201)
    My-WAN.31533 > 172.16.1.0.59372: Flags [P.], cksum 0xc832 (correct), seq 1:162, ack 1, win 64400, length 161
 00:00:00.589524 AF IPv4 (2), length 56: (tos 0x2,ECT(0), ttl 63, id 36468, offset 0, flags [none], proto TCP (6), length 52)
    My-WAN.60033 > 172.16.2.0.59372: Flags [SEW], cksum 0x442d (correct), seq 3544223184, win 62720, options [mss 8960,nop,wscale 8,nop,nop,sackOK], length 0
 00:00:00.013934 AF IPv4 (2), length 48: (tos 0x2,ECT(0), ttl 254, id 9436, offset 0, flags [DF], proto TCP (6), length 44)
    172.16.2.0.59372 > My-WAN.60033: Flags [S.], cksum 0x3e54 (correct), seq 3004006065, ack 3544223185, win 4200, options [mss 1400], length 0
 00:00:00.000178 AF IPv4 (2), length 44: (tos 0x0, ttl 63, id 36469, offset 0, flags [none], proto TCP (6), length 40)
    My-WAN.60033 > 172.16.2.0.59372: Flags [.], cksum 0x6aac (correct), seq 1, ack 1, win 64400, length 0
 00:00:00.005371 AF IPv4 (2), length 497: (tos 0x0, ttl 63, id 36470, offset 0, flags [none], proto TCP (6), length 493)
    My-WAN.60033 > 172.16.2.0.59372: Flags [P.], cksum 0x62af (correct), seq 1:454, ack 1, win 64400, length 453
 00:00:00.385924 AF IPv4 (2), length 497: (tos 0x0, ttl 63, id 36471, offset 0, flags [none], proto TCP (6), length 493)
    My-WAN.60033 > 172.16.2.0.59372: Flags [P.], cksum 0x62af (correct), seq 1:454, ack 1, win 64400, length 453
 00:00:00.304076 AF IPv4 (2), length 205: (tos 0x0, ttl 63, id 28593, offset 0, flags [none], proto TCP (6), length 201)
    My-WAN.31533 > 172.16.1.0.59372: Flags [P.], cksum 0xc832 (correct), seq 1:162, ack 1, win 64400, length 161
 00:00:00.095936 AF IPv4 (2), length 497: (tos 0x0, ttl 63, id 36472, offset 0, flags [none], proto TCP (6), length 493)
    My-WAN.60033 > 172.16.2.0.59372: Flags [P.], cksum 0x62af (correct), seq 1:454, ack 1, win 64400, length 453
 00:00:00.218016 AF IPv4 (2), length 44: (tos 0x0, ttl 254, id 10875, offset 0, flags [DF], proto TCP (6), length 40)
    172.16.1.0.59372 > My-WAN.31533: Flags [R.], cksum 0xbf57 (correct), seq 1, ack 1, win 0, length 0
 00:00:00.476972 AF IPv4 (2), length 497: (tos 0x0, ttl 63, id 36477, offset 0, flags [none], proto TCP (6), length 493)
    My-WAN.60033 > 172.16.2.0.59372: Flags [P.], cksum 0x62af (correct), seq 1:454, ack 1, win 64400, length 453
 00:00:01.204971 AF IPv4 (2), length 497: (tos 0x0, ttl 63, id 36480, offset 0, flags [none], proto TCP (6), length 493)
    My-WAN.60033 > 172.16.2.0.59372: Flags [P.], cksum 0x62af (correct), seq 1:454, ack 1, win 64400, length 453
 00:00:00.323059 AF IPv4 (2), length 44: (tos 0x0, ttl 254, id 13669, offset 0, flags [DF], proto TCP (6), length 40)
    172.16.2.0.59372 > My-WAN.60033: Flags [R.], cksum 0x6639 (correct), seq 1, ack 1, win 0, length 0

              Here's a small output of that command.

              The weird thing is, when I do canyouseeme, it shows me another public IP than what is shown in the WAN interface on my pfSense box.
              Both are public IPs, and I tested both, and now they say closed.

              L U 2 Replies Last reply Reply Quote 0
              • L
                lolipoplo @undertaker666
                last edited by

                @undertaker666

                if you aren't willing to do tcpdump on pflog0 you can't see how your packets get blocked

                U 1 Reply Last reply Reply Quote 0
                • U
                  undertaker666 @lolipoplo
                  last edited by

                  @lolipoplo Look up

                  L 1 Reply Last reply Reply Quote 0
                  • L
                    lolipoplo @undertaker666
                    last edited by

                    @undertaker666 where?

                    1 Reply Last reply Reply Quote 0
                    • U
                      undertaker666 @undertaker666
                      last edited by

                      @undertaker666 said in Can't get port forward to work correctly.:

                      @undertaker666

                      tcpdump -nettti pppoe0 port 59372 -vv
tcpdump: listening on pppoe0, link-type NULL (BSD loopback), capture size 262144 bytes
 00:00:00.000000 AF IPv4 (2), length 56: (tos 0x2,ECT(0), ttl 63, id 28582, offset 0, flags [none], proto TCP (6), length 52)
    My-WAN.31533 > 172.16.1.0.59372: Flags [SEW], cksum 0xbecc (correct), seq 2428356104, win 62720, options [mss 8960,nop,wscale 8,nop,nop,sackOK], length 0
 00:00:00.013465 AF IPv4 (2), length 48: (tos 0x2,ECT(0), ttl 254, id 6409, offset 0, flags [DF], proto TCP (6), length 44)
    172.16.1.0.59372 > My-WAN.31533: Flags [S.], cksum 0x9772 (correct), seq 4044710442, ack 2428356105, win 4200, options [mss 1400], length 0
 00:00:00.000241 AF IPv4 (2), length 44: (tos 0x0, ttl 63, id 28583, offset 0, flags [none], proto TCP (6), length 40)
    My-WAN.31533 > 172.16.1.0.59372: Flags [.], cksum 0xc3ca (correct), seq 1, ack 1, win 64400, length 0
 00:00:00.003992 AF IPv4 (2), length 205: (tos 0x0, ttl 63, id 28584, offset 0, flags [none], proto TCP (6), length 201)
    My-WAN.31533 > 172.16.1.0.59372: Flags [P.], cksum 0xc832 (correct), seq 1:162, ack 1, win 64400, length 161
 00:00:00.302961 AF IPv4 (2), length 205: (tos 0x0, ttl 63, id 28585, offset 0, flags [none], proto TCP (6), length 201)
    My-WAN.31533 > 172.16.1.0.59372: Flags [P.], cksum 0xc832 (correct), seq 1:162, ack 1, win 64400, length 161
 00:00:00.394904 AF IPv4 (2), length 205: (tos 0x0, ttl 63, id 28586, offset 0, flags [none], proto TCP (6), length 201)
    My-WAN.31533 > 172.16.1.0.59372: Flags [P.], cksum 0xc832 (correct), seq 1:162, ack 1, win 64400, length 161
 00:00:00.699004 AF IPv4 (2), length 205: (tos 0x0, ttl 63, id 28587, offset 0, flags [none], proto TCP (6), length 201)
    My-WAN.31533 > 172.16.1.0.59372: Flags [P.], cksum 0xc832 (correct), seq 1:162, ack 1, win 64400, length 161
 00:00:00.589524 AF IPv4 (2), length 56: (tos 0x2,ECT(0), ttl 63, id 36468, offset 0, flags [none], proto TCP (6), length 52)
    My-WAN.60033 > 172.16.2.0.59372: Flags [SEW], cksum 0x442d (correct), seq 3544223184, win 62720, options [mss 8960,nop,wscale 8,nop,nop,sackOK], length 0
 00:00:00.013934 AF IPv4 (2), length 48: (tos 0x2,ECT(0), ttl 254, id 9436, offset 0, flags [DF], proto TCP (6), length 44)
    172.16.2.0.59372 > My-WAN.60033: Flags [S.], cksum 0x3e54 (correct), seq 3004006065, ack 3544223185, win 4200, options [mss 1400], length 0
 00:00:00.000178 AF IPv4 (2), length 44: (tos 0x0, ttl 63, id 36469, offset 0, flags [none], proto TCP (6), length 40)
    My-WAN.60033 > 172.16.2.0.59372: Flags [.], cksum 0x6aac (correct), seq 1, ack 1, win 64400, length 0
 00:00:00.005371 AF IPv4 (2), length 497: (tos 0x0, ttl 63, id 36470, offset 0, flags [none], proto TCP (6), length 493)
    My-WAN.60033 > 172.16.2.0.59372: Flags [P.], cksum 0x62af (correct), seq 1:454, ack 1, win 64400, length 453
 00:00:00.385924 AF IPv4 (2), length 497: (tos 0x0, ttl 63, id 36471, offset 0, flags [none], proto TCP (6), length 493)
    My-WAN.60033 > 172.16.2.0.59372: Flags [P.], cksum 0x62af (correct), seq 1:454, ack 1, win 64400, length 453
 00:00:00.304076 AF IPv4 (2), length 205: (tos 0x0, ttl 63, id 28593, offset 0, flags [none], proto TCP (6), length 201)
    My-WAN.31533 > 172.16.1.0.59372: Flags [P.], cksum 0xc832 (correct), seq 1:162, ack 1, win 64400, length 161
 00:00:00.095936 AF IPv4 (2), length 497: (tos 0x0, ttl 63, id 36472, offset 0, flags [none], proto TCP (6), length 493)
    My-WAN.60033 > 172.16.2.0.59372: Flags [P.], cksum 0x62af (correct), seq 1:454, ack 1, win 64400, length 453
 00:00:00.218016 AF IPv4 (2), length 44: (tos 0x0, ttl 254, id 10875, offset 0, flags [DF], proto TCP (6), length 40)
    172.16.1.0.59372 > My-WAN.31533: Flags [R.], cksum 0xbf57 (correct), seq 1, ack 1, win 0, length 0
 00:00:00.476972 AF IPv4 (2), length 497: (tos 0x0, ttl 63, id 36477, offset 0, flags [none], proto TCP (6), length 493)
    My-WAN.60033 > 172.16.2.0.59372: Flags [P.], cksum 0x62af (correct), seq 1:454, ack 1, win 64400, length 453
 00:00:01.204971 AF IPv4 (2), length 497: (tos 0x0, ttl 63, id 36480, offset 0, flags [none], proto TCP (6), length 493)
    My-WAN.60033 > 172.16.2.0.59372: Flags [P.], cksum 0x62af (correct), seq 1:454, ack 1, win 64400, length 453
 00:00:00.323059 AF IPv4 (2), length 44: (tos 0x0, ttl 254, id 13669, offset 0, flags [DF], proto TCP (6), length 40)
    172.16.2.0.59372 > My-WAN.60033: Flags [R.], cksum 0x6639 (correct), seq 1, ack 1, win 0, length 0

                      Here's a small output of that command.

                      The weird thing is, when I do canyouseeme, it shows me another public IP than what is shown in the WAN interface on my pfSense box.
                      Both are public IPs, and I tested both, and now they say closed.

                      here

                      L 1 Reply Last reply Reply Quote 0
                      • L
                        lolipoplo @undertaker666
                        last edited by

                        @undertaker666 I only see pppoe0, where's pflog0?

                        U 1 Reply Last reply Reply Quote 0
                        • U
                          undertaker666 @lolipoplo
                          last edited by undertaker666

                          @lolipoplo pflog0 was empty, no matches.

                          L 1 Reply Last reply Reply Quote 0
                          • L
                            lolipoplo @undertaker666
                            last edited by

                            @undertaker666

                            pfsense has logging on for all of the default block/reject rules

                            If pflogs is empty, this probably means your port forwarding is working provided you do not have silent block/reject rules.

                            one more sanity check, go to your associated pass rules for nat and enable logging, then listen to pflog0 again to make sure they are matched

                            U 2 Replies Last reply Reply Quote 0
                            • U
                              undertaker666 @lolipoplo
                              last edited by

                              @lolipoplo Still empty, and I could see almost nothing hits the rule in the auth screen as well.

                              Even though I ran a check from an online service to see if it's open or not, it did not register, and the test came back as closed.

                              Something is very weird here. I already did such a check before that returned open, so I'm not sure what happened.

                              1 Reply Last reply Reply Quote 0
                              • U
                                undertaker666 @lolipoplo
                                last edited by

                                @lolipoplo

                                 00:00:39.893213 rule 51/0(match) [ridentifier 1000000119]: block in on em1: (tos 0x0, ttl 64, id 39453, offset 0, flags [none], proto UDP (17), length 132)
    192.168.55.100.59372 > 123.139.94.40.16379: [udp sum ok] UDP, length 104
 00:11:15.697052 rule 51/0(match) [ridentifier 1000000119]: block in on em1: (tos 0x0, ttl 64, id 41593, offset 0, flags [none], proto UDP (17), length 132)
    192.168.55.100.59372 > 123.139.94.40.16379: [udp sum ok] UDP, length 104
 01:27:00.579015 rule 51/0(match) [ridentifier 1000000119]: block in on em1: (tos 0x0, ttl 64, id 24615, offset 0, flags [none], proto UDP (17), length 132)
    192.168.55.100.59372 > 45.190.158.201.62214: [udp sum ok] UDP, length 104
 00:00:00.296683 rule 51/0(match) [ridentifier 1000000119]: block in on em1: (tos 0x0, ttl 64, id 24616, offset 0, flags [none], proto UDP (17), length 132)
    192.168.55.100.59372 > 45.190.158.201.62224: [udp sum ok] UDP, length 104
 00:14:59.783329 rule 51/0(match) [ridentifier 1000000119]: block in on em1: (tos 0x0, ttl 64, id 63138, offset 0, flags [none], proto UDP (17), length 132)
    192.168.55.100.59372 > 45.190.158.201.62214: [udp sum ok] UDP, length 104
 00:04:14.623627 rule 51/0(match) [ridentifier 1000000119]: block in on em1: (tos 0x0, ttl 64, id 63139, offset 0, flags [none], proto UDP (17), length 132)
    192.168.55.100.59372 > 45.190.158.201.52601: [udp sum ok] UDP, length 104
 00:10:46.028208 rule 51/0(match) [ridentifier 1000000119]: block in on em1: (tos 0x0, ttl 64, id 21564, offset 0, flags [none], proto UDP (17), length 132)
    192.168.55.100.59372 > 45.190.158.201.1: [udp sum ok] UDP, length 104
 00:00:00.290588 rule 51/0(match) [ridentifier 1000000119]: block in on em1: (tos 0x0, ttl 64, id 21565, offset 0, flags [none], proto UDP (17), length 132)
    192.168.55.100.59372 > 45.190.158.201.62224: [udp sum ok] UDP, length 104
 00:00:01.600105 rule 51/0(match) [ridentifier 1000000119]: block in on em1: (tos 0x0, ttl 64, id 21566, offset 0, flags [none], proto UDP (17), length 132)
    192.168.55.100.59372 > 45.190.158.201.62224: [udp sum ok] UDP, length 104
 00:14:58.004355 rule 51/0(match) [ridentifier 1000000119]: block in on em1: (tos 0x0, ttl 64, id 6150, offset 0, flags [none], proto UDP (17), length 132)
    192.168.55.100.59372 > 45.190.158.201.52601: [udp sum ok] UDP, length 104
 00:00:00.162623 rule 51/0(match) [ridentifier 1000000119]: block in on em1: (tos 0x0, ttl 64, id 6151, offset 0, flags [none], proto UDP (17), length 132)
    192.168.55.100.59372 > 45.190.158.201.1: [udp sum ok] UDP, length 104
 00:00:00.154916 rule 51/0(match) [ridentifier 1000000119]: block in on em1: (tos 0x0, ttl 64, id 6152, offset 0, flags [none], proto UDP (17), length 132)
    192.168.55.100.59372 > 45.190.158.201.62386: [udp sum ok] UDP, length 104
 00:00:01.225057 rule 51/0(match) [ridentifier 1000000119]: block in on em1: (tos 0x0, ttl 64, id 6153, offset 0, flags [none], proto UDP (17), length 132)
    192.168.55.100.59372 > 45.190.158.201.62320: [udp sum ok] UDP, length 104
 00:14:58.611751 rule 51/0(match) [ridentifier 1000000119]: block in on em1: (tos 0x0, ttl 64, id 47222, offset 0, flags [none], proto UDP (17), length 132)
    192.168.55.100.59372 > 45.190.158.201.62320: [udp sum ok] UDP, length 104
 00:00:01.804954 rule 51/0(match) [ridentifier 1000000119]: block in on em1: (tos 0x0, ttl 64, id 47223, offset 0, flags [none], proto UDP (17), length 132)
    192.168.55.100.59372 > 45.190.158.201.62386: [udp sum ok] UDP, length 104
 00:33:32.433578 rule 4/0(match) [ridentifier 1000000103]: block in on pppoe0: (tos 0x28, ttl 110, id 63739, offset 0, flags [none], proto TCP (6), length 52)
    154.16.174.207.59372 > My-WAN-IP.54296: Flags [S], cksum 0x05da (correct), seq 3626588183, win 65142, options [mss 1287,nop,wscale 8,nop,nop,sackOK], length 0
 00:00:01.010321 rule 4/0(match) [ridentifier 1000000103]: block in on pppoe0: (tos 0x28, ttl 110, id 63740, offset 0, flags [none], proto TCP (6), length 52)
    154.16.174.207.59372 > My-WAN-IP.54296: Flags [S], cksum 0x05da (correct), seq 3626588183, win 65142, options [mss 1287,nop,wscale 8,nop,nop,sackOK], length 0
 00:00:02.000693 rule 4/0(match) [ridentifier 1000000103]: block in on pppoe0: (tos 0x28, ttl 110, id 63741, offset 0, flags [none], proto TCP (6), length 52)
    154.16.174.207.59372 > My-WAN-IP.54296: Flags [S], cksum 0x05da (correct), seq 3626588183, win 65142, options [mss 1287,nop,wscale 8,nop,nop,sackOK], length 0
 00:07:20.160301 rule 4/0(match) [ridentifier 1000000103]: block in on pppoe0: (tos 0x2a,ECT(0), ttl 113, id 17567, offset 0, flags [none], proto TCP (6), length 52)
    188.132.209.91.59372 > My-WAN-IP.38535: Flags [SEW], cksum 0x7a03 (correct), seq 4200447135, win 64240, options [mss 1400,nop,wscale 8,nop,nop,sackOK], length 0
 00:00:06.000334 rule 4/0(match) [ridentifier 1000000103]: block in on pppoe0: (tos 0x28, ttl 113, id 17573, offset 0, flags [none], proto TCP (6), length 52)
    188.132.209.91.59372 > My-WAN-IP.38535: Flags [S], cksum 0x7ac3 (correct), seq 4200447135, win 64240, options [mss 1400,nop,wscale 8,nop,nop,sackOK], length 0

                                This is after I left it for a whole night to run.

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.