NAT/Port Forward Trouble
-
Good Day everyone! I need some serious help as I am about to lose my mind on this NAT/Port Forwarding issue. I will try to explain everything the best that I can to help you hopefully help me.
I have Comcast Business Class Internet and am using a Motorola SB6183 modem, which is connected to my pfSense box.
WAN port is DHCP on both IPv4 and IPv6.
LAN port is 192.168.1.0/24 on IPv4 and Tracks WAN interface on IPv6.I have many of systems on the network. The primary one that I am trying to access from outside the house is my Network Video Recorder (NVR) which is assigned an IP of 192.168.1.246. It uses 4 ports: HTTP 80, HTTPS 443, Management 8000, and RTSP 8554. I have created the port forwards on the NAT page and have the filter rule association as PASS. I use my phone via LTE to attempt to connect to the NVR using my currently issued Public IP and the connection fails. I change the filter rule association to Create New Associated Filter Rule, apply and reload the filter and my phone via LTE still fails to connect.
When I check the firewall logs, it shows a TCP:S pass for my phone to .246 on port 8000 but the connection still fails. I have tried when I am on other networks using my laptop and it fails to connect. Here is the kicker though….I also use OpenVPN and while I can use Remote Desktop to my server and other computers while connected to the network using OpenVPN, I have no access to the NVR via OpenVPN. I know the NVR has no firewall and this issue has me about to toss the pfSense setup and go back to a crappy consumer router.
I am hoping someone can assist me with this. If you need more information, please let me know and I will get it posted as soon as I possibly can.
Thanks a bunch!!!!
-
You might want to post the documentation that details what ports need to be forwarded along with the rules you have set.
And, as always, OpenVPN would probably be easier and more secure. Win win.
-
I normally use OpenVPN at all times when I am outside my residence for security. The only problem, is even with OpenVPN, I cannot access the NVR but can access everything else on my network. It is really bugging me.
I have attached screenshots of the NVR's Port Screen and my pfSense Port Forward screen. Currently, the port forwards are set up to PASS. I have also tried with Create Matching Firewall Rule and this does not work either.
![NVR Ports.png](/public/imported_attachments/1/NVR Ports.png)
![NVR Ports.png_thumb](/public/imported_attachments/1/NVR Ports.png_thumb)
![pfSense Port Forward.png](/public/imported_attachments/1/pfSense Port Forward.png)
![pfSense Port Forward.png_thumb](/public/imported_attachments/1/pfSense Port Forward.png_thumb) -
"I cannot access the NVR but can access everything else on my network."
My guess would be the NVR doesn't have a gateway set, you would only be able to connect to it if on the same layer 2 then.. So no port forwards or openvpn in tun mode never going to work.
Set a gateway on your NVR if it supports it.
-
I have the gateway and everything else is set up. I can usually figure these things out but this it just running me ragged. I still have to set up port forwards for my Source Dedicated Server and see if those work, but I want to get the current issue resolved first.
Attached is a screenshot of the IP settings of the NVR.
![NVR IP Config.png](/public/imported_attachments/1/NVR IP Config.png)
![NVR IP Config.png_thumb](/public/imported_attachments/1/NVR IP Config.png_thumb) -
dude if you vpn in and can access everything else but your nvr, that points to your nvr if you ask me.. And also would explain why port forwards don't work as well.
Here is the thing port forwarding is clickity clickity done.. If its not working then you made a mistake, or its being blocked up stream or at firewall of host.
Go through the troubleshooting doc.. But if you can not access it via vpn you got something wrong with the device, you sure thats your gateway? Your not using a captive portal are you that it can not auth too?
-
No captive portal and this is actually a fresh pfSense install. I was having hard drive issues so I went and replaced the hard drive with an SSD and then reinstalled pfSense from scratch yesterday thinking updating from 2.1 through each version to 2.2.6 caused some issue and the fresh install would have resolved it but no dice.
I will setup the port forwards for the Source Dedicated Server and see if I can get a response on those ports since that is on my server.
I do sincerely appreciate the assistance that you all are providing!!!!
-
Dude do a sniff on the wan interface of pfsense.. Do you see the traffic your trying to forward? If not then pfsense can not do anything..
What port are you trying to forward? If a port forward takes you more than 15 seconds something is failing at a basic level.. They really are clickity clickity..
Post up your forward.. and wan firewall rules.
https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
-
I have sniffed and the WAN is getting the traffic but the firewall is blocking the traffic per the firewall logs.
If it makes any difference, even setting uPNP to enabled and rebooting the NVR does not work.
I forgot to mention that I have full access to the NVR from all other computers connected to the network. This is why I am so stumped as to why I cannot get to it externally or while connected via OpenVPN.
![port forward.png](/public/imported_attachments/1/port forward.png)
![port forward.png_thumb](/public/imported_attachments/1/port forward.png_thumb)
![WAN Rules.png](/public/imported_attachments/1/WAN Rules.png)
![WAN Rules.png_thumb](/public/imported_attachments/1/WAN Rules.png_thumb) -
So what does the firewall say its blocking on?
So I would bet your alias is wrong… why don't you just put in the actual IP of your nvr? And I highly doubt its using http/https over udp for another thing..
As to your other ports are they udp or tcp.. Why do you forward both of them, I doubt its using both..
-
The alias is set up correctly. I just have the alias so instead of constantly typing the IP of the NVR from trying variations of the rules, I just type in NVR and its done. It points to the NVR ip of .246. While attempting to connect, it still fails via my phone on LTE and when connected via my phone on LTE using OpenVPN but now I am not getting any firewall entries. While checking through, I notice a new log entry,
"kernel: arp: 00:21:79:c6:b9:ee attempts to modify permanent entry for 192.168.1.246 on re1."I am not sure what it is trying to modify since I have a static mapping for the NVR set in the DHCP server.
(UPDATE)
I decided for S's & G's to delete the static map for the NVR and let the DHCP assign it a random address….and now, when I update the alias to the new assigned IP, IT WORKS via LTE and via OpenVPN....I know for a fact that .246 is not assigned to any other device because 1.1 through 1-.99 and .200-.254 is outside the DHCP pool for static mappings and pfSense keeps you from making two mappings to the same IP address. I have no idea what the heck has happened, but it is working with DHCP....I guess I will try a different IP other than .246 statically and see if that works as well.
You all have no idea how much help you have been to me through this!!!! pfSense is an amazing system and one that I am glad to use because consumer routers just cant handle the data my house throws at them and they die in 6 months. pfSense has yet to fail me other than the hard drive but the drive was 9 years old so not surprising! pfSense FTW!!! Thank you all again!
Now to figure out what device has the MAC 00:21:79:c6:b9:ee that was attempting to modify .246 because that is not the MAC address of the NVR and no devices in my DHCP static mappings nor in my DHCP leases have that MAC address....oh well...at least the accessibility problem is resolved and I will deal with the Unidentified Wireless Device next.
-
Well quick lookup of that mac 00:21:79 shows its IOGEAR, inc
http://www.macvendorlookup.com/
-
After getting the NVR set up on a different IP and starting my search for the unknown device, when I did the MAC lookup and it said IOGEAR, I knew exactly what it was. The NVR is in a secure cabinet a good distance away from the wired part of my network so I use an IOGEAR Ethernet to WLAN bridge which for some reason decided not to stay on its assigned IP of .252 and went rouge on .246 when it was connected to the NVR. When I changed the NVR IP it went back to its .252 and has stayed there since and everything is running great!
I am glad I know what the problem was so if it does happen again, I should be able to get it fixed.
One more quick question: Would creating Static ARP Entries for my Static Mappings have anything to do with this issue occurring?