Port forward not working
-
@shubakas said in Port forward not working:
In the firewall logs, i can see :
WAN_ETH0 Default deny rule IPv4 (1000000103)So the packet didn't match to any of your rule.
Without seeing more details of the block log, we cannot verify why. -
However if I go to the site:
https://www.yougetsignal.com/tools/open-ports/I put the PUBLIC IP and the port, it tells me that it is closed while the NAT rule indicates that it is open (unless I am mistaken of course)
What details can I add?
-
@shubakas lets see your wan rules.. If your seeing deny on inbound traffic then your wan rules are not allowing it.
Also 2.4.5 is no longer a supported version and quite dated - you should update to current.
Also if your pppoe - is wan_eth0 that connection. Unsolicited inbound traffic to your internet would come in on your pppoe connection would it not..
-
I give you the wan rules
Yes PPOE is wan_eth0.
I don't understand what do you mean when you say :
@johnpoz said in Port forward not working:Unsolicited inbound traffic to your internet would come in on your pppoe connection would it not..
Thanks
-
@shubakas well from that clearly some are working.. For example your ssh forward to .180 see 13 open states for that rule.
And see hits on some of your other rules.
You need to go through the troubleshooting guide to figure out what is wrong..
https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat-port-forwards.html
I suggest the packet capture does the traffic actually hit your wan, does pfsense send it on.. If so then the issue is not with pfsense, but with where your sending it - maybe its not listening on that port, maybe its running a firewall, maybe its not using pfsense as its gateway.
pfsense can not forward what it never sees, pfsense has no control over traffic it sends to some internal IP will answer. Or maybe it does answer with a RST, etc..
Unsolicited traffic is something that is not in answer to something you asked for... If I am out on the internet, and just send traffic to your IP on port 22.. This is unsolicited - you didn't talk to me first, etc.
-
I can't find anything, could it be a pfsense bug?
-
@shubakas a bug in what - that traffic never getting to you?
I have been using pfsense really since it first came out.. In all my years using it, and helping people here on the forums I do not recall ever seeing a "bug" in pfsense related to port forwarding not working..
The problem is always something easy to spot.. If you would spend like 2 minutes going through the troubleshooting doc you would know right away why its not working.
This normally comes down to the traffic never even gets to pfsense. Firewall rule on destination device not allowing it, or not even listening on that port, or its not using pfsense as its gateway, etc. Or the forward just done completely wrong, etc.
But let's say you have run into a bug in 2.4.5, which is no longer a supported version.. Do you think that would ever get fixed?
How many vpn solutions do you really need to forward through pfsense? PPTP - died off 10 some years ago.. Why would you be wanting to use that..
You state
I opened ports in the NAT but none are open
But clearly that is not the case.. You show 13 open states for ssh, with 10MB of data moved through that rule.
Why don't you pick one specific thing that is not working - and then run through the troubleshooting guide to figure out where the problem actually is..
-
@johnpoz said in Port forward not working:
Why don't you pick one specific thing that is not working
Probably a good idea. For instance the NAT rules mention 3CX but only a handful of ports are forwarded...5015 is for installs only and SSH is not needed for anything related to voice and probably not a good idea to expose to the entire Internet. No media (audio) or SIP ports are forwarded so voice isn't going to work. Their port list is at https://www.3cx.com/docs/ports/. [we're a 3CX partner]
-
The 3CX rules were made by the company that manages the telephony.
For example port 5001 is open while port 1723 is not, yet the NAT rules and the rules are identical.I took the time to read the troubleshooting doc page but I couldn't find any leads (I'm probably bad but I don't know how to do it).
I'm not a Pfsense expert that's why I came here looking for help.For the moment I don't want to debate which ports are open or not, I just want to understand why some work and others don't when everything was done the same way.
THANKS
-
@shubakas said in Port forward not working:
and others don't when everything was done the same way.
Again so go through the doc do the sniffing for example, do you see the port hit your wan.. Take a packet capture when you generate traffic from the outside.. Does pfsense even see this traffic.
Ok now sniff on the lan side interface that will be used to talk to where your forwarding - do you see this traffic? If so then pfsense did what it was told and forwarded the traffic - and your issue lays elsewhere.
What specific is not working - and troubleshoot that 1 thing.. Saying stuff doesn't work, or none of it works isn't going to help track down the problem. You state none of the port forwards are working for example - yet from what you posted that clearly is not true. Since for example your ssh forward shows 13 active states.. So clearly ssh was forwarded through if not there could be no state..
Lets take any of those tcp ports for example 1723, 5015, 232, 5001, or 80.. Now go to can you see me . org and generate traffic to one of those ports while you do the sniffing (packet capture on pfsense) as mentioned in the doc.. Do you see the traffic hit pfsense wan? Do you see pfsense send on the traffic to where your forwarding it?
-
Yes ports 5001, 80 and 22 are open.
For example port 1701 is considered closed by "can you see me.org"
In the WAN traffic I see the connection attempt with the message: WAN_ETH0 Default deny rule IPv4 (1000000103)I do not see anything else.
Thanks
-
Packet capture say :
11:20:27.583390 IP 52.202.215.126.50209 > my_IP.1701: tcp 0 -
@shubakas said in Port forward not working:
For example port 1701 is considered closed by "can you see me.org"
That's what I would expect. You have only allowed UDP on port 1701, but me.org tries TCP connection.
And I guess it's not capable of doing UDP tests. -
Sorry but I am experiencing an internet outage with recovery scheduled for 02/28