Stupid port forwarding question
-
positive, even just had someone else test for me from their office.
-
Doing an online nmap of my ddns address at 32400, 1194, finds it open, 4040 and 4050, it says, are closed. I just don't get it.
-
did you apply the port forward? You sure the packets are getting to you.. Its possible your isp blocks them. As per the troubleshooting guide sniff on pfsense wan.. Try and access it from outside, do you see the access. canyouseeme.org is great for this..
You could try doing the port forward again. Its possible the rules didn't get applied.. You forget to click apply, etc..
edit: offices are HORRIBLE testing.. Most companies if of any size block outbound on oddball ports, go through a proxy etc..
-
I don't know if this also helps, but I've done port forwarding for quite a few scenarios but for this particular one just won't work whatever I try. Nothing is firewalled from this guy's office, and I can't see it in canyouseeme or doing an online nmap for that port. It's not my ISP, I've even tried doing it on 80 and it won't work it's driving me crazy.
-
Again per the troubleshooting doc.. Sniff - do you see the packets hit your wan.. if so sniff on lan - do you see the packets sent to your server 192.168.1.6 address?
Ok, I just installed it on a unbuntu vm I have at the house.. Grabbed
root@ubuntu:/tmp# wget http://madsonic.org/download/5.1/20150831_madsonic-5.1.5260.deb
installed jre
Setting up madsonic (5260) …
Adding system startup for /etc/init.d/madsonic ...
/etc/rc0.d/K99madsonic -> ../init.d/madsonic
/etc/rc1.d/K99madsonic -> ../init.d/madsonic
/etc/rc6.d/K99madsonic -> ../init.d/madsonic
/etc/rc2.d/S99madsonic -> ../init.d/madsonic
/etc/rc3.d/S99madsonic -> ../init.d/madsonic
/etc/rc4.d/S99madsonic -> ../init.d/madsonic
/etc/rc5.d/S99madsonic -> ../init.d/madsonic
Started Madsonic [PID 5547, /var/madsonic/madsonic_sh.log]
root@ubuntu:/tmp#hit up 192.168.9.7:4040 the box installed it too and see the webpage.. Then created port forward for 4040 tcp to 192.168.9.7 and bing bang zoom can get to it from the outside.. Total time like 1 minute from time of wget and hitting it from the outside..
So I would validate traffic is even getting to your public IP.. You sure your not behind a nat, and you had forwarded your 32400 on the nat device infront of your pfsense before hand?
-
oh dude - well this is wrong!! That needs to be set to wan address.
I don't know how your 32400 is working with that.. dest needs to be set to wan address!! Should of spotted that right off the gate..
-
How does plex work then? :o I had tried with WAN address, destroying the rule, then using Any. Nothing seems to work and it makes absolutely no sense why this isn't working to me. I have enabled logging on that rule and see nothing for this traffic. It doesn't make any sense that an ISP would block both 4040 and 8080 and allow literally any other port I can think of. I guess sniffing to see where this traffic stopping in the first place would be my only way to handle it. I do have an ISP router, that was supposedly supposed to be able to be put into bridge mode, but the ISP DHCP server would randomly boot me and no one from tech support could tell me any reason why. What I ended up doing is giving the pfsense device it's own static IP on the ISP device's 192.168.0.* LAN and making one giant all encompassing rule that forwards all traffic on any protocol or port to the pfsense box and I've never had a problem with anything but this ever since.
-
you mean you put pfsense in dmz host of your isp router? Or you created some forward for all ports in a range?
All kinds of weird stuff can happen behind a double nat.. So for example with napt which is what your isp router is doing and pfsense is doing you could have something else using the port.
So lets say you make a connection to something on internet from your machine 192.168.1.100:1490 – 1.2.3.4:80, pfsense would nat that to 192.168.0.x:somethingelse as source maybe 41140 or something. Then your isp router would change it again to your public IP:4040 -- 1.2.3.4:80 maybe you got unlucky there?
If saying your logging the rule and you see no hits points to pfsense not ever seeing the traffic, if it never sees the traffic it for sure can not foruard it.
Creating a rule that forwards say 1024-65k is going to have issues. What does that router do for its source ports for traffic it needs to send out that you created from behind it? The more nats you have the more likely you are to run into some issue. It is always best to only have 1 nat from your private networks to the internet.
And I can tell you for sure that * for a dest is wrong in the pfsense forwarding setup. It shouldn't work at all.. As the troubleshooting guide goes over - sniff to see if your seeing the traffic at pfsense wan.. If its not there nothing pfsense can do that is for sure. Once you see it there, then validate that pfsense is sending it on via sniff and see if you get an answer.
As I showed you this really should be clickity clickity 1 minute tops to get up and running.
-
Plex Works, the webserver on 8082 works, the VPN server on 1194 works… all through using my DDNS address or my actual IP. I just don't wrap my head around why this wouldn't
-
I do have some external servers I have control of, is there a way to use tcpdump or some other CLI based tool, on that specific port and see exactly where the traffic is stopping so I can try to remedy this?
-
well dude again have you done the sniff it takes 2 seconds to sniff!!
Is the traffic getting to pfsense or not..
edit: dude packet capture is built right into pfsense gui.. Diag, Packet Capture – Pick your interface, pick your port and hit start.. See attached.
-
I already said no the packets are not showing in the log enabled for that rule. I'm not lazy I'm willing to try anything I know how to do to get it fixed. I was just asking of some way of seeing where the traffic is stopping, because it is not making it to pf.
-
well if its not making it to pfsense.. Is it making it to your isp router?? Does it have a packet capture option, does it show you state table. Does it show you hits on its port forward rules?
Did you try bouncing your isp router to clear up its state table if you can not flush it from its gui or view it?
As to no hits on the rule doesn't actually rule out something else wrong.. I would do the sniff on pfsense to be freaking sure the packets are not getting there.. But what I can tell you from all the threads I have read and helped with port forwarding - I do not recall it ever being a pfsense issue.. Its always pebkac or traffic just not there for pfsense to forward.
edit: and I have been here for quite some time ;) October 18, 2007, 07:09:13 pm is when I registered on the board.. almost 9 freaking year - wow did that go fast…
-
The ISP router is a POS and doesn't offer really options like that and I didn't think customer service at the ISP would be much more help that why before I call them I wanted to be armed with "well I can see the traffic stopping at your router". That way I could at least complain and get them to send someone out with possibly a new or better router, or something that actually goes into bridge mode and lets pfsense be the actual router. Is there some command I can execute like for instance, I can use pingplotter on windows to see even on a particular port, which exact hop that traffic is stopping. Is there something I can run from linux CLI on another server that would give me this type of info?
-
no not really.. Your saying some traffic working.. The fact that your sniffing on pfsense and show them your forward and no traffic being seen.. And then do a test for one of your other forwards would show them for sure its their network or device.
You could sniff at where your sending it.. do you get back an rst or get back a icmp port not open from some other IP??
-
Yes I just see the port as not open from nmap on a remote server, and from canyouseeme.org or anywhere else. Like I said I've done a bunch of port forwarding, I was just looking for some king of proof before calling to bitch at the ISP, because I didn't think the port forward was wrong, and the fact that some work and other don't all point towards it being their equipment. I was just hoping to have some pingplotter on 8080 type of deal to be able to say "here is every hop this traffic takes and stops at your device, why?" is all.