Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Is my ISP blocking port forwarding?

    Scheduled Pinned Locked Moved
    NAT
    2
    8
    76
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      Fandangos
      last edited by

      Coming here after a few days trying to figure out what is going on.

      My setup goes like this:

      Unraid server with 2 NICs: 1 - SMB and private stuff, 2 - Docker containers.
      Docker containers -> managed switch tagged vlan -> pfsense.

      Docker runs on a different network and everything is fine inside my LAN. I can access it from all other vlans.

      Now I'm trying to open port 8096 for Emby on my WAN like this:
      01a1895a-2089-4004-85aa-ff3da411b094-image.png

      9c1b2d00-9a52-44cd-8c28-59aaeb81ecd5-image.png

      The rules on my docker vlan is to block traffic to my other vlans:

      09fff48b-ad35-463c-8b47-00b71fb355f4-image.png

      Even tried to disable the pfblockerng rule and the rule to the pfsense firewall.

      So my guess is.. is my ISP blocking it? Tried different ports but all seems to be closed using online tools as can you see me and trying to access the emby webui from my phone lte network.

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @Fandangos
        last edited by

        @Fandangos
        Only rules on the WAN will impact this traffic.

        To investigate sniff the traffic on the WAN interface using Diagnostic > Packet Capture.
        Enter 8096 into the port filter, start the capture and try to access this port from outside.
        If you can see no packets after stopping the capture then, obviously there is nothing coming through.

        I presume, that your WAN has a public IP assigned.

        F 1 Reply Last reply Reply Quote 0
        • F
          Fandangos @viragomann
          last edited by

          @viragomann said in Is my ISP blocking port forwarding?:

          Enter 8096 into the port filter,

          Nothing is reaching it but I think there's something wrong here between VLANs.

          I'm trying to figure out how PfSense firewall works.
          If there's no rules on both vlans this means traffic from both are allowed?
          Pfsense rules are top to bottom, right? Meaning, if it finds a rule that allows traffic it will allow it, right?

          I have a small python server running on port 5000 of one of my vlans.

          and when I try to post to it from another vlan, it's not working either.

          So, if I have VLAN A to access VLAN B, I need to create a firewall allowing what?

          VLAN A subnets -> VLAN B subnets?

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @Fandangos
            last edited by

            @Fandangos said in Is my ISP blocking port forwarding?:

            If there's no rules on both vlans this means traffic from both are allowed?

            Correct.

            Pfsense rules are top to bottom, right? Meaning, if it finds a rule that allows traffic it will allow it, right?

            Yes. In each rule you state conditions and an action (pass, block, reject). The conditions are interface (incoming), IP version, protocol, source address and port, destination address and port.
            Rules are probed from the top to the bottom. If a packet matches the stated conditions the rule is applied and following rule are ignored.

            So, if I have VLAN A to access VLAN B, I need to create a firewall allowing what?

            VLAN A subnets -> VLAN B subnets?

            Exactly.
            If you want some rules to be applied to multiple interfaces you can create interface groups and add your rules there. Or you can use floating rule, which allow to select multiple interfaces. When adding a floating rule, remember to set the direction properly for your needs. The default value is any.

            F 1 Reply Last reply Reply Quote 0
            • F
              Fandangos @viragomann
              last edited by Fandangos

              @viragomann said in Is my ISP blocking port forwarding?:

              So, if I have VLAN A to access VLAN B, I need to create a firewall allowing what?

              There must be something wrong here.

              LAN25 VLAN (Unraid (running a python webserver and my PC)
              DOCKER VLAN (Emby)

              Docker firewall rule:
              78802d83-6948-4818-996c-f8d59c65f0b3-image.png

              LAN25 rules:
              ebf8cf49-9218-4224-8aa3-3b4b3525c2fb-image.png

              Basically in this test, LAN25 10.27.33.198 is running a server at port 5000
              DOCKER 18.27.33.191 is trying to post to port 5000.

              I can browser docker webui from 10.27.33.200, my PC.

              I can atest that the webserver works if I post from the same subnet.

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @Fandangos
                last edited by

                @Fandangos said in Is my ISP blocking port forwarding?:

                Basically in this test, LAN25 10.27.33.198 is running a server at port 5000
                I can atest that the webserver works if I post from the same subnet.

                Allowing access from inside the own subnet, but blocking access coming from outside, is the default behavior of almost all system firewalls.
                Did you configure it to allow access from outside yet?

                But you can also verify this by sniffing the traffic on pfSense. If you can see request packets on the LAN25, but no response, pfSense passes the traffic, but the server either blocks it or response traffic is routed wrongly.

                F 1 Reply Last reply Reply Quote 0
                • F
                  Fandangos @viragomann
                  last edited by

                  @viragomann said in Is my ISP blocking port forwarding?:

                  @Fandangos said in Is my ISP blocking port forwarding?:

                  Basically in this test, LAN25 10.27.33.198 is running a server at port 5000
                  I can atest that the webserver works if I post from the same subnet.

                  Allowing access from inside the own subnet, but blocking access coming from outside, is the default behavior of almost all system firewalls.
                  Did you configure it to allow access from outside yet?

                  But you can also verify this by sniffing the traffic on pfSense. If you can see request packets on the LAN25, but no response, pfSense passes the traffic, but the server either blocks it or response traffic is routed wrongly.

                  585eae81-74c1-480a-ab49-f26b7d7a535b-image.png

                  This is the traffic I see from within VLANs.
                  I'm trying to figure out the vlans problem (probably should open another thread for this) because I believe this might be the root cause of the port forwarding not working.

                  As you can see on the traffic capture, one VLAN tries to reach another but all I get is a timeout.

                  F 1 Reply Last reply Reply Quote 0
                  • F
                    Fandangos @Fandangos
                    last edited by

                    Figured it out!!

                    It was a docker container problem. Docker container was set to use ipvlan, so changed to macvlan.

                    And changed host access to custom networks to enabled.

                    Now I can post from my docker container.

                    Ok.. now trying to figure out how to access emby from wan.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post