Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port Forwarding

    Scheduled Pinned Locked Moved General pfSense Questions
    16 Posts 4 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ Offline
      johnpoz LAYER 8 Global Moderator
      last edited by

      What are you forwarding?  What is the ip on the pfsense wan is in rfc1918 or public, the IP you would hit, that you want to forward to some other IP on your lan that is a rfc1918 address..  Is your pfsense behind a NAT??  if pfsense wan is say 192.168.0.1/24 and you want to forward 80 to 192.168.1.100/24 on your lan.

      If your hitting 192.168.0.1 you would have to disable the default wan rule of block rfc1918

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 0
      • S Offline
        Serra
        last edited by

        I have a debugging software (PHPed) that communicates with a server on port 7869.  The software needs that port to be open so it can get information back from the server.

        So, my device at 198.162.0.10 needs to have access to incoming information on port 7869.  The actual port number isn't important, it can be changed, 7869 is just the default.

        The pfsense box is connected via a bridge to the Internet, so it is handling everything.

        1 Reply Last reply Reply Quote 0
        • DerelictD Offline
          Derelict LAYER 8 Netgate
          last edited by

          https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense

          You probably want:

          Interface: WAN
          Protocol: TCP
          Source: Leave this alone
          Destination: WAN address
          Destination Port Range: 7869
          Redirect Target IP: 192.168.0.10 (I'm assuming 198.162.0.10 is a mistake)
          Redirect Target Port: 7869
          No XMLRPC Sync: unchecked
          NAT Reflection: Use system default
          Description: PHPed
          Filter rule association: Let it add one/Use what's already added.

          The associated filter rule should show up on Firewall > Rules, WAN tab.  You will only be able to edit values that are not set by the NAT entry.  Edit the NAT entry to change the locked values.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • S Offline
            Serra
            last edited by

            Sorry, just got back from a meeting doing too many things at once, yes, 192.168.0.10…

            However, those are the settings I used, no luck.  I tried two devices on two computers (with their own settings in the firewall on slightly different ports) to eliminate anything on the computer (though it works fine with the old router).

            The firewall and NAT settings both looked fine when it was set.

            Can anyone confirm that if I turn on "Disable all packet filtering", anything can go through the firewall without forwarding.

            One more thing I noticed.  I went the other route (removed the forwards) and turned on UPNP and it didn't work either, but the UPNP status showed all of the proper ports were open.  I've not used UPNP much, but I was under the impression that it was somewhat fool proof.  Just turn it on and the ports magically open and since they were listed properly, what could be the issue?

            1 Reply Last reply Reply Quote 0
            • DerelictD Offline
              Derelict LAYER 8 Netgate
              last edited by

              You don't need to do anything like disable all packet filtering.  This just works when it's configured correctly.

              Do all this and report back.

              https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • S Offline
                Serra
                last edited by

                I did all of that except running the tcpdump, seemed like overkill.  I'll do that and see what is up.  I'll post back when I get a chance to test that.

                1 Reply Last reply Reply Quote 0
                • DerelictD Offline
                  Derelict LAYER 8 Netgate
                  last edited by

                  Sorry, but if you did all that it would be working.

                  Triple check the config/firewall/network mode on the target host.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • DerelictD Offline
                    Derelict LAYER 8 Netgate
                    last edited by

                    Basically, if I used my old router, the existing port forwarding works fine.  I swap in the pfsense router and it doesn't.

                    You're talking replacing, not putting pfSense in between the old router and target host, right?  You're getting a public IP address from the ISP on pfSense WAN right?

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • S Offline
                      Serra
                      last edited by

                      Correct.  Ok, just tested again and went over the questions

                      1. NAT and firewall rules not correctly added (see How can I forward ports with pfSense?)

                      CHECK

                      2. Firewall enabled on client machine

                      WIDOWS FIREWALL HAS EXCEPTION FOR PHPED.  WORKS FINE FOR OLD ROUTER.

                      3. Client machine is not using pfSense as its default gateway

                      CHECK DEFAULT GATEWAY

                      4. Client machine not actually listening on the port being forwarded

                      CHECK, TESTED DEBUGGER

                      5. ISP or something upstream of pfSense is blocking the port being forwarded

                      WORKS FINE WITH OLD ROUTER

                      6. Trying to test from inside the local network, need to test from an outside machine

                      WEBSERVER IS OUTSIDE THE NETWORK AND REPORTS IT CAN'T CONNECT TO IP.

                      7. Incorrect or missing Virtual IP configuration for additional public IP addresses

                      NO VIRUTAL IPS

                      8. The pfSense router is not the border router. If there is something else between pfSense and the ISP, the port forwards and associated rules must be replicated there.

                      PC - ROUTER - <bridge>- INTERNET

                      9. Forwarding ports to a server behind a Captive Portal. An IP bypass must be added both to and from the server's IP in order for a port forward to work behind a Captive Portal.

                      NO CAPTIVE PORTAL

                      10. If this is on a WAN that is not the default gateway, make sure there is a gateway chosen on this WAN interface, or the firewall rules for the port forward would not reply back via the correct gateway.

                      DEFAULT GATEWAY

                      14. WAN rules should NOT have a gateway set, so make sure that the rules for the port forward do NOT have a gateway configured on the actual rule.

                      NO GATEWAY SET.

                      15. If the traffic appears to be forwarding in to an unexpected device, it may be happening due to UPnP. Check Status > UPnP to see if an internal service has configured a port forward unexpectedly. If so, disable UPnP on either that device or on the firewall.

                      UPNP IS OFF</bridge>

                      1 Reply Last reply Reply Quote 0
                      • KOMK Offline
                        KOM
                        last edited by

                        Nothing of note in Status - System logs - Firewall that has to do with any of this?

                        1 Reply Last reply Reply Quote 0
                        • DerelictD Offline
                          Derelict LAYER 8 Netgate
                          last edited by

                          And what states are created.  PM me your public IP and I'll see what happens from here.  These things can be easily tested with telnet.

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ Offline
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            And your not running a local security software or firewall on this box?  Simple enough to test with simple sniff to see if that traffic ever hits pfsense, and is forward to where you want to forward it.  Really is a 3 second check..

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • S Offline
                              Serra
                              last edited by

                              Thanks for all the help.  I knew that you'd push me in the right direction.  When illogical things are happening, sometime you have to reexamine things from a different angle.

                              Turns out there were two issue I was having that prevented me from finding the problem.  First I was too lazy to type "yum telnet install" on my external server so I could use telnet.

                              Once I did that, I found that no traffic was making it through to the pfsense box at all.

                              That lead me back to the useless and painfully restrictive ATT router I'm forced to use as a bridge.  I have limited access  to it because it is outside of my network in bridge mode.  The only way to access it is via my laptop.  I looked at it yesterday, but after about 10 minutes, Windows forced a reboot and started updating.  I gave up waiting for it after about 30 minutes.  Today, I gave it another 30 minutes of updating and inspected the firewall.    For some unknown reason, the IP passthrough had jumped to my security system, rather than the pfsense router.  So pfsense was again behind its firewall.  Once I disabled that (again), the ports opened right up.

                              So, the final question, in the ATT router, it showed two pfsense routers with different MACs.  However, it didn't show pfsense having been assigned an IP address.  Since I haven't set the MAC or changed it, that makes me wonder:

                              If I don't manually put in a MAC for the pfsense box, it will use its assigned internal MAC and not create a random MAC correct?

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ Offline
                                johnpoz LAYER 8 Global Moderator
                                last edited by

                                if its physical hardware it would use that mac on that interface, unless you went in and changed it or did some sort of clone in pfsense.  If its running on virtual then it could create new virtual mac if you did something in the setup, etc.

                                So see a 2 second sniff on the wan in pfsense would of told you that traffic wasn't get there, and looking to validate your wan was the IP you thought it was suppose to be is another valid check ;)

                                Glad you got it sorted.  It tried firing up that software this morning and couldn't figure out how to get the debugger tester you showed running.

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                1 Reply Last reply Reply Quote 0
                                • S Offline
                                  Serra
                                  last edited by

                                  @johnpoz:

                                  if its physical hardware it would use that mac on that interface, unless you went in and changed it or did some sort of clone in pfsense.  If its running on virtual then it could create new virtual mac if you did something in the setup, etc.

                                  Yes, it is physical hardware, so that is good.

                                  @johnpoz:

                                  So see a 2 second sniff on the wan in pfsense would of told you that traffic wasn't get there, and looking to validate your wan was the IP you thought it was suppose to be is another valid check ;)

                                  Knowing it isn't there and being actually able to see it are two different things.  There is a lot of information and I'm brand new to pfsense, so actually finding it, was difficult.  New tools are the hardest to use.

                                  @johnpoz:

                                  Glad you got it sorted.  It tried firing up that software this morning and couldn't figure out how to get the debugger tester you showed running.

                                  Yea, welcome to the hardest to setup software in the world!  It is better now than a few years ago, but I've setup at least 100 accounts in PHPed and I still use a cheat sheet.  Once you get the account setup, then there is also a component that must be installed into PHP on the web server and php.ini needs to be updated with the ports and IP of the users.  Its rather a pain to setup.  Once setup, it is amazing.  I can't live without it.  The ability to step line by line through a PHP program is very helpful when there is a strange bug.  Plus the code prefill and highlighting are very helpful.  For example, if you create a variable called $rec_num, next time you type $rec it prefills $rec_num.  That really cuts down on typos.

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.