Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT rule for peer port

    Firewalling
    2
    6
    195
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • mathieurM
      mathieur
      last edited by

      Hi,

      I try to open port 51413 and forward it to my local peer-to-peer machine (192.168.100.6), and it seems i'm not smart enough.

      I tried to follow the NAT documentation, but i can't figure out the issue. After way too much time browsing the documentation and the forum, here is my (non working) configuration. I'm pretty sure i'm missing something obvious and maybe one of you will be able to help ?

      Thank in advance,

      899f5ec2-9986-4563-b2df-7bf37289c678-image.png

      9f26cde6-4c22-4303-818a-dd08ee88d6cd-image.png

      5634b00e-fdd4-4541-b985-fe618f2b466c-image.png

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @mathieur
        last edited by

        @mathieur you currently show 81 states using that port forward.. If something is not working, its not the port forward.

        2024-01-07_184906.jpg

        On a side note - opening up your webgui to the public internet, not very secure setup..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.03 | Lab VMs 2.7.2, 24.03

        mathieurM 1 Reply Last reply Reply Quote 0
        • mathieurM
          mathieur @johnpoz
          last edited by mathieur

          @johnpoz thanks for the reply. The web gui is not open, i think your refering to the 80 and 443 rules ? that's for HAproxy.

          The port still "look" closed from the p2p app perspective, any idea what might be wrong ?

          cea62450-d010-4a04-bfdb-0f808f8f9e7c-image.png

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @mathieur
            last edited by johnpoz

            @mathieur good to hear that is your haproxy..

            I just checked the IP you talk to the forum on, and I show that port open

            port.jpg

            I would uncheck that ask for UPnP checkbox when you check - if your not running UPnP on pfsense, maybe it thinks its closed because it can't open it via UPnP?

            But if I send a syn, I get a syn,ack back..

            Do you have any rules in floating that might block Ips from regions of the world, maybe where that test comes from?

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.03 | Lab VMs 2.7.2, 24.03

            mathieurM 1 Reply Last reply Reply Quote 2
            • mathieurM
              mathieur @johnpoz
              last edited by mathieur

              @johnpoz Thanks for your help !

              Rules from pfBlockerNG in floating was indeed the origin. I would never have guessed by myself

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @mathieur
                last edited by

                @mathieur geo filtering for something like a p2p prob not a good thing ;) hehehe

                You really have no clue to where traffic might come from.. I had sim sort of problem when I started filtering based on geoip and a test plex does for if your plex is available remote.. Some of the testing comes from non US ips, same goes for stuff like uptime robot and status cake.. They leverage global resources to check stuff, and if your filtering to only allow IPs from certain regions you can run into issues.

                I just found where these services list what IPs can be used as source of the traffic, and allowed them - the lists of IPs do change now and then.. And just added them to my pfblocker alias that I use to allow.

                allow.jpg

                But with something like p2p, that would be pretty impossible..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.03 | Lab VMs 2.7.2, 24.03

                1 Reply Last reply Reply Quote 1
                • First post
                  Last post