Port Forwarding
-
What are you forwarding? What is the ip on the pfsense wan is in rfc1918 or public, the IP you would hit, that you want to forward to some other IP on your lan that is a rfc1918 address.. Is your pfsense behind a NAT?? if pfsense wan is say 192.168.0.1/24 and you want to forward 80 to 192.168.1.100/24 on your lan.
If your hitting 192.168.0.1 you would have to disable the default wan rule of block rfc1918
-
I have a debugging software (PHPed) that communicates with a server on port 7869. The software needs that port to be open so it can get information back from the server.
So, my device at 198.162.0.10 needs to have access to incoming information on port 7869. The actual port number isn't important, it can be changed, 7869 is just the default.
The pfsense box is connected via a bridge to the Internet, so it is handling everything.
-
https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense
You probably want:
Interface: WAN
Protocol: TCP
Source: Leave this alone
Destination: WAN address
Destination Port Range: 7869
Redirect Target IP: 192.168.0.10 (I'm assuming 198.162.0.10 is a mistake)
Redirect Target Port: 7869
No XMLRPC Sync: unchecked
NAT Reflection: Use system default
Description: PHPed
Filter rule association: Let it add one/Use what's already added.The associated filter rule should show up on Firewall > Rules, WAN tab. You will only be able to edit values that are not set by the NAT entry. Edit the NAT entry to change the locked values.
-
Sorry, just got back from a meeting doing too many things at once, yes, 192.168.0.10…
However, those are the settings I used, no luck. I tried two devices on two computers (with their own settings in the firewall on slightly different ports) to eliminate anything on the computer (though it works fine with the old router).
The firewall and NAT settings both looked fine when it was set.
Can anyone confirm that if I turn on "Disable all packet filtering", anything can go through the firewall without forwarding.
One more thing I noticed. I went the other route (removed the forwards) and turned on UPNP and it didn't work either, but the UPNP status showed all of the proper ports were open. I've not used UPNP much, but I was under the impression that it was somewhat fool proof. Just turn it on and the ports magically open and since they were listed properly, what could be the issue?
-
You don't need to do anything like disable all packet filtering. This just works when it's configured correctly.
Do all this and report back.
https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
-
I did all of that except running the tcpdump, seemed like overkill. I'll do that and see what is up. I'll post back when I get a chance to test that.
-
Sorry, but if you did all that it would be working.
Triple check the config/firewall/network mode on the target host.
-
Basically, if I used my old router, the existing port forwarding works fine. I swap in the pfsense router and it doesn't.
You're talking replacing, not putting pfSense in between the old router and target host, right? You're getting a public IP address from the ISP on pfSense WAN right?
-
Correct. Ok, just tested again and went over the questions
1. NAT and firewall rules not correctly added (see How can I forward ports with pfSense?)
CHECK
2. Firewall enabled on client machine
WIDOWS FIREWALL HAS EXCEPTION FOR PHPED. WORKS FINE FOR OLD ROUTER.
3. Client machine is not using pfSense as its default gateway
CHECK DEFAULT GATEWAY
4. Client machine not actually listening on the port being forwarded
CHECK, TESTED DEBUGGER
5. ISP or something upstream of pfSense is blocking the port being forwarded
WORKS FINE WITH OLD ROUTER
6. Trying to test from inside the local network, need to test from an outside machine
WEBSERVER IS OUTSIDE THE NETWORK AND REPORTS IT CAN'T CONNECT TO IP.
7. Incorrect or missing Virtual IP configuration for additional public IP addresses
NO VIRUTAL IPS
8. The pfSense router is not the border router. If there is something else between pfSense and the ISP, the port forwards and associated rules must be replicated there.
PC - ROUTER - <bridge>- INTERNET
9. Forwarding ports to a server behind a Captive Portal. An IP bypass must be added both to and from the server's IP in order for a port forward to work behind a Captive Portal.
NO CAPTIVE PORTAL
10. If this is on a WAN that is not the default gateway, make sure there is a gateway chosen on this WAN interface, or the firewall rules for the port forward would not reply back via the correct gateway.
DEFAULT GATEWAY
14. WAN rules should NOT have a gateway set, so make sure that the rules for the port forward do NOT have a gateway configured on the actual rule.
NO GATEWAY SET.
15. If the traffic appears to be forwarding in to an unexpected device, it may be happening due to UPnP. Check Status > UPnP to see if an internal service has configured a port forward unexpectedly. If so, disable UPnP on either that device or on the firewall.
UPNP IS OFF</bridge>
-
Nothing of note in Status - System logs - Firewall that has to do with any of this?
-
And what states are created. PM me your public IP and I'll see what happens from here. These things can be easily tested with telnet.
-
And your not running a local security software or firewall on this box? Simple enough to test with simple sniff to see if that traffic ever hits pfsense, and is forward to where you want to forward it. Really is a 3 second check..
-
Thanks for all the help. I knew that you'd push me in the right direction. When illogical things are happening, sometime you have to reexamine things from a different angle.
Turns out there were two issue I was having that prevented me from finding the problem. First I was too lazy to type "yum telnet install" on my external server so I could use telnet.
Once I did that, I found that no traffic was making it through to the pfsense box at all.
That lead me back to the useless and painfully restrictive ATT router I'm forced to use as a bridge. I have limited access to it because it is outside of my network in bridge mode. The only way to access it is via my laptop. I looked at it yesterday, but after about 10 minutes, Windows forced a reboot and started updating. I gave up waiting for it after about 30 minutes. Today, I gave it another 30 minutes of updating and inspected the firewall. For some unknown reason, the IP passthrough had jumped to my security system, rather than the pfsense router. So pfsense was again behind its firewall. Once I disabled that (again), the ports opened right up.
So, the final question, in the ATT router, it showed two pfsense routers with different MACs. However, it didn't show pfsense having been assigned an IP address. Since I haven't set the MAC or changed it, that makes me wonder:
If I don't manually put in a MAC for the pfsense box, it will use its assigned internal MAC and not create a random MAC correct?
-
if its physical hardware it would use that mac on that interface, unless you went in and changed it or did some sort of clone in pfsense. If its running on virtual then it could create new virtual mac if you did something in the setup, etc.
So see a 2 second sniff on the wan in pfsense would of told you that traffic wasn't get there, and looking to validate your wan was the IP you thought it was suppose to be is another valid check ;)
Glad you got it sorted. It tried firing up that software this morning and couldn't figure out how to get the debugger tester you showed running.
-
if its physical hardware it would use that mac on that interface, unless you went in and changed it or did some sort of clone in pfsense. If its running on virtual then it could create new virtual mac if you did something in the setup, etc.
Yes, it is physical hardware, so that is good.
So see a 2 second sniff on the wan in pfsense would of told you that traffic wasn't get there, and looking to validate your wan was the IP you thought it was suppose to be is another valid check ;)
Knowing it isn't there and being actually able to see it are two different things. There is a lot of information and I'm brand new to pfsense, so actually finding it, was difficult. New tools are the hardest to use.
Glad you got it sorted. It tried firing up that software this morning and couldn't figure out how to get the debugger tester you showed running.
Yea, welcome to the hardest to setup software in the world! It is better now than a few years ago, but I've setup at least 100 accounts in PHPed and I still use a cheat sheet. Once you get the account setup, then there is also a component that must be installed into PHP on the web server and php.ini needs to be updated with the ports and IP of the users. Its rather a pain to setup. Once setup, it is amazing. I can't live without it. The ability to step line by line through a PHP program is very helpful when there is a strange bug. Plus the code prefill and highlighting are very helpful. For example, if you create a variable called $rec_num, next time you type $rec it prefills $rec_num. That really cuts down on typos.