Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port Forward does not work..

    Scheduled Pinned Locked Moved Firewalling
    helpnatnat rulesfirewallfirewall rules
    71 Posts 5 Posters 13.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Bob.DigB
      Bob.Dig LAYER 8 @root1ng
      last edited by Bob.Dig

      @root1ng Disable this checkbox on all the VM NICs, on your pfSense and your Linux Server.

      I am running TS on a Linux VM (Debian) behind a pfSense VM on Proxmox too, it is running fine for me, just checked. ๐Ÿ˜‰

      R 1 Reply Last reply Reply Quote 0
      • R
        root1ng LAYER 8 @Bob.Dig
        last edited by root1ng

        @Bob-Dig said in Port Forward does not work..:

        @root1ng Disable this checkbox on all the VM NICs, on your pfSense and your Linux Server.

        I am running TS on a Linux VM (Debian) behind a pfSense VM on Proxmox too, it is running fine for me, just checked. ๐Ÿ˜‰

        Deactivated but without result..

        edit: And I gave a restart to be sure of both

        Bob.DigB johnpozJ 2 Replies Last reply Reply Quote 0
        • Bob.DigB
          Bob.Dig LAYER 8 @root1ng
          last edited by Bob.Dig

          @root1ng Maybe the host firewall, what Linux are you using exactly?
          Maybe a routing problem, you could show us your proxmox network.

          In the beginning you had no hits at all on your rules. Have you fixed something or is your testing flawed otherwise? Send me your IP, I will check if I can connect.

          Also show your rules on that VMs LAN.

          R 1 Reply Last reply Reply Quote 0
          • R
            root1ng LAYER 8 @Bob.Dig
            last edited by root1ng

            @Bob-Dig said in Port Forward does not work..:

            @root1ng Maybe the host firewall, what Linux are you using exactly?
            Maybe a routing problem, you could show us your proxmox network.

            In the beginning you had no hits at all on your rules. Have you fixed something or is your testing flawed otherwise? Send me your IP, I will check if I can connect.

            Also show your rules on that VMs LAN.

            Datacenter, Node and all VMs firewalls are disabled;
            I am using Ubuntu Server Pro 22.04.03;
            Proxmox network attached:
            Screenshot_9.png
            The idea is that traffic appears in pfSense to the rules in the firewall, but only when I check the ports.
            My IP sent privately in dm.

            TeamSpeak3 Server VM Networking:
            Screenshot_10.png

            Bob.DigB 1 Reply Last reply Reply Quote 0
            • Bob.DigB
              Bob.Dig LAYER 8 @root1ng
              last edited by

              @root1ng Why is Firewall still checked? Disable it. Also show your pfSense LAN rules for that Linux VM.

              R 2 Replies Last reply Reply Quote 0
              • R
                root1ng LAYER 8 @Bob.Dig
                last edited by

                @Bob-Dig said in Port Forward does not work..:

                @root1ng Why is Firewall still checked? Disable it. Also show your pfSense LAN rules for that Linux VM.

                I told you that I deactivated them earlier and I deactivate them for nothing. Nothing happens

                Bob.DigB 1 Reply Last reply Reply Quote 0
                • Bob.DigB
                  Bob.Dig LAYER 8 @root1ng
                  last edited by

                  @root1ng It looks like your linux VM is in the Management network?

                  1 Reply Last reply Reply Quote 0
                  • R
                    root1ng LAYER 8 @Bob.Dig
                    last edited by

                    @Bob-Dig said in Port Forward does not work..:

                    @root1ng Why is Firewall still checked? Disable it. Also show your pfSense LAN rules for that Linux VM.

                    This is what you are talking about?
                    Screenshot_11.png

                    Bob.DigB 1 Reply Last reply Reply Quote 0
                    • Bob.DigB
                      Bob.Dig LAYER 8 @root1ng
                      last edited by

                      @root1ng Yep, that is good.

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator @root1ng
                        last edited by johnpoz

                        @root1ng if your not seeing the test from the outside on your .6 box, but your seeing it from your local .5 box.. When clearly pfsense sent the traffic on.. then you have something filtering it..

                        Even if the firewall on the vm was filtering it from the application, the sniff should still show it.

                        Pfsense has no job other to send the traffic to the IP you say to send it too - it has no control after it puts the traffic on the wire.. Clearly its putting it on the wire from your sniff. If your not seeing it at the end device. Is its sending it to the correct mac, have to assume so since you say that other 33 port is working.

                        Even had some firewall blocking it on pfsense on outbound direction, on your lan - the sniff you show on the lan side interface showing it was sent wouldn't show that if you had say a floating rule blocking it in the outbound connection..

                        You have something preventing the 9987 from getting to your VM, if you sniff and see pfsense put it on the wire, but your VM never sees it. Even if the vm wasn't listening or had a firewall blocking it.. The sniff should show that that traffic got there. So maybe you have something in your VM host preventing from sending it on to the VM, or sending it to the wrong vm.. Or something else filtering traffic from getting there - acl on a switch? Something in wifi if that is in use..

                        But if pfsense put it on the wire, pfsense job is done.. There is nothing else for pfsense to do..

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        Bob.DigB 1 Reply Last reply Reply Quote 0
                        • Bob.DigB
                          Bob.Dig LAYER 8 @johnpoz
                          last edited by

                          @johnpoz Yeah, I could even connect to it, only OP can't do it to the public IP.

                          johnpozJ 1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator @Bob.Dig
                            last edited by johnpoz

                            @Bob-Dig I know longer have my proxmox box to play with, so I can not test anything with proxmox.. But from what he shows pfsense put the traffic on the wire - if the destination is not getting it, that nothing to do with pfsense.

                            I would sniff on proxmox host to validate the traffic gets to it.. Then you for sure would know that its proxmox where the problem is.

                            edit: I even validated if you have a floating rule outbound to block it, would pfsense sniff maybe show going out the wire, even though it really wasn't

                            And when I block it with an outbound floating rule on the lan, the sniff never shows it going anywhere.. So it can't even be something like that.. Because he shows a sniff on pfsense sending on the traffic

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            R 1 Reply Last reply Reply Quote 0
                            • R
                              root1ng LAYER 8 @johnpoz
                              last edited by

                              @johnpoz said in Port Forward does not work..:

                              @Bob-Dig I know longer have my proxmox box to play with, so I can not test anything with proxmox.. But from what he shows pfsense put the traffic on the wire - if the destination is not getting it, that nothing to do with pfsense.

                              I would sniff on proxmox host to validate the traffic gets to it.. Then you for sure would know that its proxmox where the problem is.

                              edit: I even validated if you have a floating rule outbound to block it, would pfsense sniff maybe show going out the wire, even though it really wasn't

                              And when I block it with an outbound floating rule on the lan, the sniff never shows it going anywhere.. So it can't even be something like that.. Because he shows a sniff on pfsense sending on the traffic

                              Yes, it seems that from outside the network I can connect with the public IP, from inside the network (WiFi or Cable) I can't connect at all with the public address..
                              I don't understand what I have to check with Proxmox, because everything is default and I have nothing to change.

                              johnpozJ 1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator @root1ng
                                last edited by

                                @root1ng said in Port Forward does not work..:

                                from inside the network (WiFi or Cable) I can't connect at all with the public address.

                                your trying this from inside?? For that to work you would need to setup nat reflection.

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                R 1 Reply Last reply Reply Quote 0
                                • R
                                  root1ng LAYER 8 @johnpoz
                                  last edited by

                                  @johnpoz said in Port Forward does not work..:

                                  your trying this from inside?? For that to work you would need to setup nat reflection.

                                  Yes, from the inside, no, I don't have NAT Reflection active.
                                  Do I activate it globally or for each individual rule?

                                  johnpozJ 1 Reply Last reply Reply Quote 0
                                  • johnpozJ
                                    johnpoz LAYER 8 Global Moderator @root1ng
                                    last edited by johnpoz

                                    @root1ng you can do it either way.. But with something like this you could have a problem.. But if your hitting the wan IP from the inside and not seeing traffic being sent on - that would be due to no nat reflection setup.

                                    You might have to do a full proxy setup - not really a fan of nat reflection, its an abomination if you ask me ;)

                                    But problem is even if you reflect if the source IP is local to where your sending it, and that something answers directly back.. The client might say hey wait a minute - I sent this traffic to mac abc (its gateway) why is mac xyz answering me.. You can see this very easy with dns and redirection.. There are plenty of posts around here going over that specific scenario..

                                    But that really has nothing to do with plex doing the job of the port forward, but if you want plex to send the traffic to 1.6 when you hit your public IP from the lan side, that would need a nat reflection to be setup.

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                                    R 3 Replies Last reply Reply Quote 0
                                    • R
                                      root1ng LAYER 8 @johnpoz
                                      last edited by root1ng

                                      @johnpoz said in Port Forward does not work..:

                                      @root1ng you can do it either way.. But with something like this you could have a problem.. But if your hitting the wan IP from the inside and not seeing traffic being sent on - that would be due to no nat reflection setup.

                                      Ok, and do I enable nat reflection in Firewall - NAT - Port Forward for each rule added for the teamspeak server, or do I enable it globally from System > Advanced > Nat Reflection for Port Forward?

                                      I think it's the same thing, but it's better to ask than to do another stupid thing :))

                                      johnpozJ 1 Reply Last reply Reply Quote 0
                                      • johnpozJ
                                        johnpoz LAYER 8 Global Moderator @root1ng
                                        last edited by

                                        @root1ng I made some edits about nat reflection on my previous post, but you can set it up when you do the forward.

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                                        1 Reply Last reply Reply Quote 0
                                        • R
                                          root1ng LAYER 8 @johnpoz
                                          last edited by

                                          @johnpoz said in Port Forward does not work..:

                                          But problem is even if you reflect if the source IP is local to where your sending it, and that something answers directly back.. The client might say hey wait a minute - I sent this traffic to mac abc (its gateway) why is mac xyz answering me.. You can see this very easy with dns and redirection.. There are plenty of posts around here going over that specific scenario..

                                          But that really has nothing to do with plex doing the job of the port forward, but if you want plex to send the traffic to 1.6 when you hit your public IP from the lan side, that would need a nat reflection to be setup.

                                          Ok and how do I do these settings? What should be set exactly? I don't understand, Pure NAT or NAT + Proxy or are there more advanced settings that need to be done?

                                          1 Reply Last reply Reply Quote 0
                                          • R
                                            root1ng LAYER 8 @johnpoz
                                            last edited by

                                            @johnpoz said in Port Forward does not work..:

                                            @root1ng you can do it either way.. But with something like this you could have a problem.. But if your hitting the wan IP from the inside and not seeing traffic being sent on - that would be due to no nat reflection setup.

                                            You might have to do a full proxy setup - not really a fan of nat reflection, its an abomination if you ask me ;)

                                            But problem is even if you reflect if the source IP is local to where your sending it, and that something answers directly back.. The client might say hey wait a minute - I sent this traffic to mac abc (its gateway) why is mac xyz answering me.. You can see this very easy with dns and redirection.. There are plenty of posts around here going over that specific scenario..

                                            But that really has nothing to do with plex doing the job of the port forward, but if you want plex to send the traffic to 1.6 when you hit your public IP from the lan side, that would need a nat reflection to be setup.

                                            I think I solved it and I hope I did the right thing, I changed the global settings, I'm attaching a picture below, is it okay?
                                            By the way, this is how I can connect with the public IP from LAN/WiFi.
                                            Without those two checked boxes I can't connect. (1:1 and outbound)

                                            Screenshot_12.png

                                            R 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.