Port forwarding for ARK Server
-
Hi All,
I've searched the forum for answers and have tried everything and somehow can't get this to work, I need to forward ports 7777 and 27015 for an ARK game server, I'm trying to set this up on my work Server 2012, I have this behind a pfsense box and behind that a BT openreach modem, the pfsense is configured with PPPoE and works great I even have it forwarding ports 443 and 80 to my server for Anywhere Access etc - These ports seems to forward perfectly, the others I want to forward do not, I have gone through every possible way of doing this, using Alias, using direct IP addresses, making the rules myself etc it just won't work, I have followed the post from the 'Noob question about NAT' post in order to Access the modem from inside firewall and this doesn't work for me either, would really appreciate some help on this from the experts, cheers for any advice you can give.
-
so your behind a double nat??
Are those ports udp or tcp..
https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
-
Hi John thanks for the input I presume yes to your question?? I didn't think the modem classed as an item that needed port forwarding I was under the impression that it was just a converter of sorts from adsl to fibre? Please correct me if I'm wrong. The fact that ports 80 and 443 opened so easily make me wonder why the others won't, if it makes any difference I tried opening another standard port (21) and this opened fine as well?? Could BT be blocking those ports I want to forward? Thanks for any response.
edit: Forgot to say the ports are being set to TCP & UDP
-
Yeah that would be a "modem" For example my cable modem doesn't do any nat or filtering, etc.. Just provides me with public IP on my pfsense.
But the problem is you have people and isps actually calling what is a gateway device doing nat a "modem" which it is not..
So for example on your pfsense wan what IP do you get, is it rfc1918 then either your isp device is doing nat, or your isp is doing carrier grade nat which going to be a real pain for getting inbound traffic.
If your having other ports open fine - those might be setup in your isp device? Or even if your in say a dmz mode and all traffic gets sent in you run into a problem with high ports like your using already being used for another connection. If you have a device in front of pfsense doing nat.
And lets say you made a connection to pfsense.org from your web browser.. What is the source port? Since pfsense and your isp doing nat its possible that your using 27015 as a source port for your connection to pfsense.org – and now you get this inbound traffic to that port.. What is your isp device suppose to do?
Double nat are PITA.. And should be whenever possible avoided...
When you have only a single nat that you setup forwards on or even 2 of them and you setup an actual forward those ports are reserved and would not be used for the random source port when doing napt.
Again simple troubleshooting is in order.. Do you see the traffic inbound to pfsense? This is step one - because if pfsense does not see the inbound traffic there is no way for it to forward it to something listening on it. If you see it on wan, and you see it on lan of pfsense ie sent to your device behind pfsense.. Do you have the correct IP, is that device running a firewalll?
You need to go through the doc I linked to for basic troubleshooting of port forwarding.. What I can tell you is like 99.999% of the time of all the time and threads I have been here on the pfsense forums is its user error, traffic not getting to pfsense in the firstplace or firewall on the host your sending it too or not even listening, etc.. I can not ever recall a port forwarding issue that came down to a problem with pfsense itself.
-
Again thanks for the reply, I can tell you the WAN address is assigned via PPPoE and is a public IP that can change (although I do have DDNS setup). How do I find out exactly what the source port is for connection to pfsense.org (apologies for lack of knowledge I'm self taught in the networking world so far and tend to dive deep into these things) And again if you could point me in the right direction for checking in bound traffic to pfsense that would be great - I want to say thanks for the advice mate I really appreciate it and I will work through each step of the link you sent me before going any further with anything else, I just wish I could get into the config of my openreach modem and find out if ports need forwarding there as I have experience with double NAT and have beaten if before, just not with pfsense it was on consumer grade routers. I can confirm that it's not firewall related on the host though, the ARK server manager opens it's own ports in the built in windows firewall and I have manually been in to check this, also the IP address for the host is correct and static and I have tried assigning the NAT port forward using the IP and Alias to no avail. I am aware that most of the time stuff like this is user error I just need to figure out where I'm going wrong, thanks again mate.
-
Look in your states table.. For all the combinations of source and destination states under diag. But the question is not what pfsense is using but more what a nat device in front of pfsense would be using if your in its dmz vs setting specific forwards to pfsense wan IP. Double nat is not good.. But you say your not behind a double nat that pfsense has public ip on its wan.
If your pfsense has a public IP, you sure its public?? 192.168.x.x, 10.x.x.x or 172.16-31 are private IPs..
So did you do step one.. Did you sniff on pfsense and validate you see the traffic your wanting to forward.. There is no reason to look further until you have validated you see the traffic on pfsense wan - because if your not seeing it there is nothing you can do it pfsense to make it show up ;)
simple packet capture on diag.. Go to can you see me .org and do a simple test to your port
example see attached. Use that as test of your forward, but you need to sniff your traffic when the real traffic is suppose to be there.. If your using dyndns you sure they are using your correct public IP, etc.
