Port forwarding doesn't work
-
@viragomann
If it is helpful i set some settings from this website: https://nguvu.org/pfsense/pfsense-baseline-setup/ -
@taylorswift
If you probed port 443 you should see any bytes on this rule.Since there is nothing, I'd consider to check your Cloudflare settings. I suspect, you have activated it's tunnel or proxy or whatever.
-
@viragomann
I'll check this, but why it shows that the ports are closed on port checker website? -
@taylorswift
I assume, there is no packet arriving on your WAN.You can sniff the WAN traffic with Diagnostic > Packet Capture, while doing a port check, or just try yourself to access your IP from outside by https://<yourIP>.
You should see at least any packet.If not, possibly access is blocked by your ISP.
-
@taylorswift because it go no reply is why it would show closed.. Very first thing you should do in troubleshooting a port forward is go to like can you see me . org.. Put in the port you want, and then sniff on your pfsense wan - do you see this traffic if not, then nothing you do on pfsense is going to get a port forward to work.
If you don't see that traffic hit pfsense via the packet capture under diagnostics - nothing you do on pfsense would ever get a port forward to work.
You might behind another nat device? What is in front of pfsense? Maybe you don't even have a public IP, ie cgnat from your isp and not just a natting device in front. If you have another isp device in front of pfsense you need to forward the traffic to pfsense wan IP so your port forwards on pfsense can work. Your rules not triggering screams the traffic is not getting to pfsense.
if port forwarding didn't work the forums would be a blaze with people complaining - it would be like a ddos attack ;)
-
@johnpoz
There is hope
-
@taylorswift ok that is good sign for sure!!! But maybe your isp blocks 443 and 80.. Do those ports same way.. Many an isp block 443 and 80 because part of their tos is can't run server/services, etc..
But you see traffic on that odd ball port is hope for sure.
-
@johnpoz
I don't understand this... On port 80 the same results, but can you see me has different IP.
-
@taylorswift That is your traffic to and from the website.. You need to look for traffic to your IP on 443 and 80..
Make sure you like set the count of packets to like 0 or it could finish before you even send your traffic. And might be easier if you download and open in wireshark so easier to look for the specific traffic
here is where they sent to me on 443, I answer because I serve up something on 443.. But here you can see where they sent the syn to my public IP, and where I answer with syn,ack
Your going to want to make sure you see a syn to port 443 in your sniff.
-
@johnpoz
I think I've got the point. My isp blocks ports 80 and 443. Tomorrow I'll try to do that on other port, but there might be problem with Let's Encrypt SSL. -
@taylorswift doesn't matter if ssl is broken, doesn't matter if you have anything listening or anything.. If you send traffic to your IP on 443, then you should see it in the packet capture. If not then no port forward would never work.
See my edit from above.
-
@johnpoz
I can't see 80 or 443 in packet capture, but on other ports I see. So if I run the website on, say, port 773, port forwarding won't work? -
@taylorswift you could for sure use another port.. If you can see the traffic hit your wan, then you can forward it.. You could even forward it to something on 443.. keep in my for a user to access your site they would need to include your port..
http(s)://yourIPorfqdn:port
Browser used by some where http:// would use 80,. https:// would use 443.. If you want to use another port they would have to use the :port in their uri
I run a site on 44301 because it was just easier than messing with haproxy to do another service on 443.. I have openvpn listen on 443, if not vpn traffic it sends it to haproxy on 9443, which forwards to a backend service and does the ssl offload for it.
Vs messing with that setup, I put up a wrapperr thing for users to view their years stats on my plex server, was just easier to use different port.. And I send them a direct link ie https://fqdn:44301 that they just click on..
-
@johnpoz
I also found out that port 8443, witch also is using for https I can see in packet capture, same as port 8080 for http. -
@taylorswift
Remember that Lets Encrypt with webroot needs access to port 80 to hand out certs. -
@viragomann
Is there a way to Let's Encrypt use other port? -
@viragomann said in Port forwarding doesn't work:
access to port 80 to hand out certs.
Not really - just use dns to validate and get your certs. That is how I do it..
-
@johnpoz
Yes, I know. I mentioned, this is with webroot identification, which is the default and widely used. -
@viragomann said in Port forwarding doesn't work:
which is the default and widely used
Not for people that isp block inbound to 80 ;) like this guy..
-
@johnpoz
I‘m in doubt, that his ACME client is knowing that.
