Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port Forwarding troubles

    Scheduled Pinned Locked Moved NAT
    19 Posts 3 Posters 5.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      brigzzy
      last edited by

      Hi All,

      I recently replaced my SOHO router with an atom based PFsense box (running the latest 2.1 RC1 build, as it is the only one that supports my network cards), but after the swap, my forwarded ports are not working.  I followed the 'how to forward ports' guide as well as the 'port forwarding troubleshooting guide', but I am still having issues.

      For example, my website can be accessed from an internal IP, by going to my external IP address in a browser, but I cannot connect in the same way from an external browser.  Below is an example of the port 80 NAT rule.  The others are configured the same (the only difference being the ports)

      If     Proto         Src. addr Src. ports         Dest. addr     Dest. ports NAT IP    NAT Ports
      WAN TCP/UDP   *           *                   WAN address    80 (HTTP) 10.0.0.128 80 (HTTP)

      Does anyone have any idea what could be causing my problems?

      Thanks for reading :)

      1 Reply Last reply Reply Quote 0
      • B
        brigzzy
        last edited by

        Sorry for bumping my own topic, but is there any additional information I could provide that would help lead to a solution to my problem?

        Thanks,

        Brigzzy

        1 Reply Last reply Reply Quote 0
        • K
          kejianshi
          last edited by

          Is there a NAT rule or firewall rule on either the WAN or the LAN that NATs to some other IP, blocks 80 or something that comes before this rule on your pfsense?

          1 Reply Last reply Reply Quote 0
          • B
            brigzzy
            last edited by

            Thanks very much for the reply.  I do not think there is a NAT or Firewall rule that is causing issues.  Here is a screenshot of both screens, so you can see my configuration.

            http://imgur.com/a/AYyVz

            Thanks so much for the reply :)

            1 Reply Last reply Reply Quote 0
            • K
              kejianshi
              last edited by

              Are you running your pfsense web gui on 80?

              1 Reply Last reply Reply Quote 0
              • B
                brigzzy
                last edited by

                Yes I am.  Could that be a problem?  I'll try moving to to a different port.

                EDIT - I moved it to port 81, but I still cannot access it from the outside :(

                1 Reply Last reply Reply Quote 0
                • K
                  kejianshi
                  last edited by

                  From time to time.

                  1 Reply Last reply Reply Quote 0
                  • K
                    kejianshi
                    last edited by

                    What does your LAN firewall rule look like?

                    1 Reply Last reply Reply Quote 0
                    • B
                      brigzzy
                      last edited by

                      I don't recall changing it, so it should be whatever the default is.  Can you please tell me where I would find it in the settings?

                      Thanks!

                      1 Reply Last reply Reply Quote 0
                      • K
                        kejianshi
                        last edited by

                        You posted your WAN firewall Rule. Same place, except click the LAN tab.

                        1 Reply Last reply Reply Quote 0
                        • B
                          brigzzy
                          last edited by

                          imgur just went down, so no screenshot this time, but here you go:

                          ID Proto Source Port Destination Port Gateway Queue Schedule Description
                                  * * * LAN Address 81 22 * * Anti-Lockout Rule
                                  IPv4 * LAN net * * * * none   Default allow LAN to any rule
                                  IPv6 * LAN net * * * * none   Default allow LAN IPv6 to any rule

                          They all seem to be default, I don't recall making any changes here.

                          Thanks!

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            Ok for starters.. I don't see any wan rules that allow your forwards.

                            http://imgur.com/a/AYyVz

                            Did you uncheck create wan rule when you created your NAT?  None of those nats show linked rule.  And I see only 1 wan rule for 22 (ssh)  So how would your 80 traffic be allowed?

                            Second, many isp block port 80

                            Third, are you sure your pfsense WAN IP is public and not private.. What is pfsense plugged into?  A true modem where you get public on pfsense, or actually a gateway that does nat as well as be a modem?

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • K
                              kejianshi
                              last edited by

                              Yep - Its not good.  Time to start over with NAT rules.
                              (You actually have to click extra buttons and do extra work to mess up NAT this way)

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator
                                last edited by

                                Its amazing how so many mess up something that is so easy..

                                Click a + button put in your port and private IP = done.  This auto creates the firewall rule that you need and the nat you need.

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                1 Reply Last reply Reply Quote 0
                                • B
                                  brigzzy
                                  last edited by

                                  @johnpoz:

                                  Ok for starters.. I don't see any wan rules that allow your forwards.

                                  http://imgur.com/a/AYyVz

                                  Did you uncheck create wan rule when you created your NAT?  None of those nats show linked rule.  And I see only 1 wan rule for 22 (ssh)  So how would your 80 traffic be allowed?

                                  Second, many isp block port 80

                                  Third, are you sure your pfsense WAN IP is public and not private.. What is pfsense plugged into?  A true modem where you get public on pfsense, or actually a gateway that does nat as well as be a modem?

                                  Good point.  When I made the rules, I selected pass, I figured that meant pass the traffic to the internal IP.  I deleted all my firewall and NAT rules, and recreated them, and I can now see that they have linked firewall rules, however my traffic still isn't working :(  I know that my ISP isn't blocking port 80, because it was working with my old SOHO router.  My IP is definitely a public IP, it doesn't match any of the class A, B, or C networks.  Thanks for the reply :)

                                  @kejianshi:

                                  Yep - Its not good.  Time to start over with NAT rules.
                                  (You actually have to click extra buttons and do extra work to mess up NAT this way)

                                  @johnpoz:

                                  Its amazing how so many mess up something that is so easy..
                                  Click a + button put in your port and private IP = done.  This auto creates the firewall rule that you need and the nat you need.

                                  Yeah right you both are.  Please see my reply above, I had selected pass instead of the default, which was 'Add associated filter rule'.  my mistake, guess you learn something new every day!  Thanks for the replies :)

                                  1 Reply Last reply Reply Quote 0
                                  • B
                                    brigzzy
                                    last edited by

                                    Well sorry everyone, I feel like a buffoon.  I forgot to update the default route on the web server, so that's why my ports were not working.  After recreating the NAT rules, as suggested above, and fixing the route information, it's working perfectly now.

                                    Thanks so much kejianshi, and johnpoz for all your assistance!

                                    1 Reply Last reply Reply Quote 0
                                    • K
                                      kejianshi
                                      last edited by

                                      Don't feel I helped all that much.  Sounds like you figured it out yourself.  ;)

                                      But you are welcome.

                                      1 Reply Last reply Reply Quote 0
                                      • johnpozJ
                                        johnpoz LAYER 8 Global Moderator
                                        last edited by

                                        Are you other forwards working?

                                        If you feel your rules are correct - then first thing to do is actually verify the traffic is reaching pfsense.  Its quite possible your isp just started blocking it?  Verify pfsense sees the traffic, verify pfsense sends on the traffic..

                                        So quick

                                        It really is a no brainer – click, and done..  Post up your nat and wan rules..

                                        attached is my nat, wan rule that nat created and quick test by doing simple sniff on wan interface and lan inteface.

                                        edit: just noticed your other post that is working ;)  Guess no need for this post then - but hey can leave it for the next guy on how to do a simple sniff and verify traffic seen at your wan and then sent out your lan.

                                        This simple test would of pointed you to your web server right away, since you would seen the packets go out to it, but it not answering..

                                        test.png
                                        test.png_thumb
                                        validationforward.png
                                        validationforward.png_thumb
                                        wanrulehttp.png
                                        wanrulehttp.png_thumb

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                                        1 Reply Last reply Reply Quote 0
                                        • B
                                          brigzzy
                                          last edited by

                                          @johnpoz:

                                          Are you other forwards working?

                                          If you feel your rules are correct - then first thing to do is actually verify the traffic is reaching pfsense.  Its quite possible your isp just started blocking it?  Verify pfsense sees the traffic, verify pfsense sends on the traffic..

                                          So quick

                                          It really is a no brainer – click, and done..  Post up your nat and wan rules..

                                          attached is my nat, wan rule that nat created and quick test by doing simple sniff on wan interface and lan inteface.

                                          edit: just noticed your other post that is working ;)  Guess no need for this post then - but hey can leave it for the next guy on how to do a simple sniff and verify traffic seen at your wan and then sent out your lan.

                                          This simple test would of pointed you to your web server right away, since you would seen the packets go out to it, but it not answering..

                                          Haha thanks again for the detailed reply.  That's a cool looking site too, I was using nmap from a cell phone, but that looks a lot more convienent :)

                                          Thanks!

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.