Can't reach own server (HTTP) from outside the network
-
Dude. Did you go through the checklist here?
https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
That covers about every possible thing that could keep your port forward from working.
Yes dude, I checked the checklist here, client allows port 5050 in the firewall, client has default gateway address pointing to the pfsense router, ISP doesn't block it (it worked with my previous router), there's a router before pfsense too (my modem) and there the port forwards are also set (I left it like it was with my previous setup that worked), I have no virtual IP, that may be the problem maybe? The WAN connection is set as the default gateway. I can access the website through LAN. WAN rules don't have a gateway set.
Really, I checked it and it seems to be configured correctly, I just followed the guide on portforwards in pfSense and did exactly like the guide said.
I understand that you might be a bit frustrated because you might think that I'm not listening to you, but I am, I want this problem to be solved too and I'm doing all the suggestions you give me, thanks BTW.
At first I though it might be a DNS problem, but when I try connect to the website via IP address it also doesn't work.
-
My problem is if you had done all that it would be working.
Guess packet captures of connection attempts on all the pertinent interfaces are in order.
Anything interesting in the firewall logs filtered on port 5050?
-
I cleared the log file in Status > System Logs > Firewall > Normal View, then I browsed to the website on port 5050 (WAN1) and there I no entry in the logfile for that port.
I attached screenshot of a part of the log file.
If the firewall doesn't block it, does that mean that the portforward is correctly configured and that it is another problem?
Sorry, i didn't filter it, but i attached a filtered view, no entries….
-
Or it means the traffic is not arriving on WAN1 in the first place. I would packet capture on port 5050 on WAN1, attempt again, and see what it shows.
-
Yes, you are right, no packets are captured on port 5050,
So it is a problem with something else…
Attached is how my setup is configured
EDIT: there are packets captured, I didn't know that I had to stop the packet capturing to see the results, here are the results:
11:44:39.806615 IP 81.240.101.105.12852 > 109.134.116.205.5050: tcp 0
11:44:40.794383 IP 81.240.101.105.12852 > 109.134.116.205.5050: tcp 0
11:44:42.807943 IP 81.240.101.105.12852 > 109.134.116.205.5050: tcp 0
11:44:46.815748 IP 81.240.101.105.31786 > 109.134.116.205.5050: tcp 0
11:44:47.830415 IP 81.240.101.105.31786 > 109.134.116.205.5050: tcp 0
11:44:49.831286 IP 81.240.101.105.31786 > 109.134.116.205.5050: tcp 0The first IP is correct, the second IP is an old public IP (I have a dynamic IP)
-
It must be in the upstream device. Have to look there. pfSense can't do anything with packets it doesn't receive.
-
EDIT: there are packets captured, I didn't know that I had to stop the packet capturing to see the results, here are the results:
11:44:39.806615 IP 81.240.101.105.12852 > 109.134.116.205.5050: tcp 0
11:44:40.794383 IP 81.240.101.105.12852 > 109.134.116.205.5050: tcp 0
11:44:42.807943 IP 81.240.101.105.12852 > 109.134.116.205.5050: tcp 0
11:44:46.815748 IP 81.240.101.105.31786 > 109.134.116.205.5050: tcp 0
11:44:47.830415 IP 81.240.101.105.31786 > 109.134.116.205.5050: tcp 0
11:44:49.831286 IP 81.240.101.105.31786 > 109.134.116.205.5050: tcp 0The first IP is correct, the second IP is an old public IP (I have a dynamic IP)
-
What do you mean old? If it is not an IP address the firewall thinks is valid the packets will not be processed properly.
If 109.134.116.205 is not WAN1 address your port forwards won't match.
-
What do you mean old? If it is not an IP address the firewall thinks is valid the packets will not be processed properly.
By old IP address I mean, I got this IP 109.134.116.205 on WAN1 (PPPOE), the I rebooted pfSense and I got the 81.240.101.105 as public IP, so why is there an previous IP in the packet capture
edit,
Ok so I went to http://81.240.101.105:5050/ and now I get this:
11:52:55.236104 IP 81.240.101.105.49690 > 192.168.1.2.5050: tcp 0
11:52:56.242128 IP 81.240.101.105.49690 > 192.168.1.2.5050: tcp 0
11:52:58.255926 IP 81.240.101.105.49690 > 192.168.1.2.5050: tcp 0
11:53:04.169001 IP 81.240.101.105.40373 > 192.168.1.2.5050: tcp 0
11:53:05.177315 IP 81.240.101.105.40373 > 192.168.1.2.5050: tcp 0
11:53:07.177541 IP 81.240.101.105.40373 > 192.168.1.2.5050: tcp 0But the 192.168.1.2.5050 should be 192.168.1.3:5050
That was the old config (resetted the backup) TIME FOR A REBOOT
-
So if you think packets are arriving on WAN1 properly, then the next step is to capture on whatever interface is connected to 192.168.1.2, filtered on port 5050, attempt again, and see what it shows.
-
After reboot I get this:
11:59:04.197040 IP 91.179.143.196.20247 > 192.168.1.3.5050: tcp 0
Now 192.168.1.3 is correct!
Still no page to be seen (can't reach this page) -
People and their cockamamie ISPs and their cockamamie setups. Lord help me.
What does pfSense think its WAN1 address is?
-
I did like you asked me, I set the interface on LAN in the packet capture, now it shows this:
12:01:34.271204 IP 192.168.1.36.30707 > 91.179.143.196.5050: tcp 0
12:01:35.289181 IP 192.168.1.36.30707 > 91.179.143.196.5050: tcp 0
12:01:37.301240 IP 192.168.1.36.30707 > 91.179.143.196.5050: tcp 0
12:01:46.976702 IP 192.168.1.36.30729 > 91.179.143.196.5050: tcp 0
12:01:47.968153 IP 192.168.1.36.30729 > 91.179.143.196.5050: tcp 0
12:01:49.975529 IP 192.168.1.36.30729 > 91.179.143.196.5050: tcp 0 -
People and their cockamamie ISPs and their cockamamie setups. Lord help me.
What does pfSense think its WAN1 address is?
See attachment
-
I have zero idea about what you are seeing, bro. None. There is something you are not telling us. I am done with this thread for at least 18 hours. Maybe someone else can help.
-
I have zero idea about what you are seeing, bro. None. There is something you are not telling us. I am done with this thread for at least 18 hours. Maybe someone else can help.
Ok, thanks anyway, the only thing I didn't say is that I have a Multiwan setup (loadbalancing + failover wan1 + failover wan2)
-
In your drawing you show "modem" with port forwards enabled?? But then you show pfsense with public IPs on its wan.. That makes NO sense..
So your outside and trying to go to your wan1 IP 91.179.143.196.5050
And you want this 5050 to be forwarded too 192.168.1.2 that is what you show in your port forwards..
When then why do you show this traffic on your lan from some other box?
12:01:34.271204 IP 192.168.1.36.30707 > 91.179.143.196.5050: tcp 0
12:01:35.289181 IP 192.168.1.36.30707 > 91.179.143.196.5050: tcp 0What is this 192.168.1.36 machine? He is trying to access your public wan IP from inside your network, so you want nat reflection to work?? If you want box on your network to talk to 192.168.1.2 why do you not just talk to it directly vs going to your wan IP via I am guessing some dyndns fqdn that points to your wan??
The traffic your interested in would be coming from some public IP going to your 192.168.1.2 box that you say is not working.. Well sniff on your wan using this 192.168.1.2 as the host IP or the public IP your coming from in the packet capture filter so you don't see data that is not what your looking for.
-
Yes the modem doesn't do anything anymore except for some routing, the PPPOE sessions are established on the pfSense router, not on the modem, so the public wan ip's are on pfsense.
I wanted to show that I can access it via LAN, so what I did was packet capture on lan, then I went to 192.168.1.3 (not 2, this was wrong) and these were the results I got…
12:01:34.271204 IP 192.168.1.36.30707 > 91.179.143.196.5050: tcp 0
12:01:35.289181 IP 192.168.1.36.30707 > 91.179.143.196.5050: tcp 0
12:01:37.301240 IP 192.168.1.36.30707 > 91.179.143.196.5050: tcp 0
12:01:46.976702 IP 192.168.1.36.30729 > 91.179.143.196.5050: tcp 0
12:01:47.968153 IP 192.168.1.36.30729 > 91.179.143.196.5050: tcp 0
12:01:49.975529 IP 192.168.1.36.30729 > 91.179.143.196.5050: tcp 0EDIT, did the same today and I got no packets, even though I can access the site via lan (192.168.1.3:5050), I see the site... So I guess that was some left over crap
If I do packet capture on WAN1 and go to my WAN1 public IP (91.179.143.196:5050) then I get these results, this was 10 min ago:
11:51:45.744238 IP 91.179.143.196.64829 > 192.168.1.3.5050: tcp 0
11:51:46.755526 IP 91.179.143.196.64829 > 192.168.1.3.5050: tcp 0
11:51:48.757056 IP 91.179.143.196.64829 > 192.168.1.3.5050: tcp 0 -
Dude how are you going to your public IP – from a Box inside your network our OUTSIDE.. If you want to test port forwarding you need to come from outside. If your inside going to your wan IP that is a nat reflection for port forwarding to work, and is quite often a fail.
If you sniffed on your lan and were coming from outside and you see the traffic going to the IP and port you want IE 192.168.1.3.5050 and you don't get a return then box didn't answer you, or he sent it to a different gateway?
Have you gone through the port forwarding troubleshooting guide. It really is 1 min to troubleshoot why a port forward might not work.. What I can tell you in all the time I have been here, and all the posts about port forwarding is its always PEBKAC!! Forwarding to wrong IP, firewall on the box your forwarding too. Service not running or listening on the port being forwarded too. Going to the wrong IP, pfsense behind a double nat, isp blocking the port from even getting to pfsense, etc. etc. etc..
https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
If you see traffic on your pfsense lan sending to where you want, and you don't see an answer either the box isn't listening on that port, your sending it to the wrong box?? Or the box sent the answer elsewhere.. None of which has anything to do with pfsense.. From that sniff you show it sending traffic to 192.168.1.3:5050 -- where is the response?? Since on 192.168.1.3 now does actually see the packets.. Maybe you have dupe IP issue and pfsense sent traffic to wrong mac?
-
Holy crap, it works, I was testing from inside, not from the outside. I switched off wifi on my phone, went to the wan1 ip and TADA.
So indeed it was PEBKAC, I am turning red now. Well on my previous setup I could access the sites from inside too, so that's why I thought it would work also and never tought to try to access it from the outside.
No way to make it work so that I can access the sites from inside too? Anyway, I'm already glad I can access them from outside.
