Problem 'opening' ports
-
Well after few days looking information I can't find solutions for this, I think there is something blocking traffic but I can't see where, the point is, I trying to implement two ssh server(for testing) the first one is running in port 22 and the second is on 2222, both are accessible in LAN but only the server in 22 is reachable across WAN, I scan the ports of the server and I only have 22,53,80 and 443 but not the 2222 port.
I have this schema(nat forwarding for both ports)
wan(22) -> firewall(NAT-forwarding) -> VLAN -> server1(22) [this is working]
wan(2222) -> firewall(NAT-forwarding) -> VLAN -> server1(2222) [this is not working]I tried to do the same in another platform and works fine, I'm using haproxy in the server but only take the ports 80 and 443, this testing environment is in an esxi server, the esxi firewall looks, I don't know what check, some hint?
thanks!!
-
Well after few days looking information I can't find solutions for this, I think there is something blocking traffic but I can't see where, the point is, I trying to implement two ssh server(for testing) the first one is running in port 22 and the second is on 2222, both are accessible in LAN but only the server in 22 is reachable across WAN, I scan the ports of the server and I only have 22,53,80 and 443 but not the 2222 port.
I have this schema(nat forwarding for both ports)
wan(22) -> firewall(NAT-forwarding) -> VLAN -> server1(22) [this is working]
wan(2222) -> firewall(NAT-forwarding) -> VLAN -> server1(2222) [this is not working]I tried to do the same in another platform and works fine, I'm using haproxy in the server but only take the ports 80 and 443, this testing environment is in an esxi server, the esxi firewall looks, I don't know what check, some hint?
thanks!!
From an external host, if you attempt to connect to port 2222 while running tcpdump you should see which IP is blocking access. This would determine whether your ISP is blocking it or if you still have some misconfiguration on your side.
You could also run tcpdump on pfSense and/or server1 to see where the packets are stopping, assuming it's somewhere within your network.
-
From an external host, if you attempt to connect to port 2222 while running tcpdump you should see which IP is blocking access. This would determine whether your ISP is blocking it or if you still have some misconfiguration on your side.
You could also run tcpdump on pfSense and/or server1 to see where the packets are stopping, assuming it's somewhere within your network.
Hi, thanks at all, well I executed tcpdump in both sides, in the client I took this
17:46:55.759531 IP 192.168.0.3.57441 > domain.local.rockwell-csp2: Flags [s], seq 1881700303, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1263744818 ecr 0,sackOK,eol], length 0 17:46:56.761145 IP 192.168.0.3.57441 > domain.local.rockwell-csp2: Flags [s], seq 1881700303, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1263745818 ecr 0,sackOK,eol], length 0 17:46:57.763523 IP 192.168.0.3.57441 > domain.local.rockwell-csp2: Flags [s], seq 1881700303, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1263746818 ecr 0,sackOK,eol], length 0 17:46:58.765254 IP 192.168.0.3.57441 > domain.local.rockwell-csp2: Flags [s], seq 1881700303, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1263747818 ecr 0,sackOK,eol], length 0 17:46:59.770129 IP 192.168.0.3.57441 > domain.local.rockwell-csp2: Flags [s], seq 1881700303, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1263748818 ecr 0,sackOK,eol], length 0 17:47:00.771967 IP 192.168.0.3.57441 > domain.local.rockwell-csp2: Flags [s], seq 1881700303, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1263749818 ecr 0,sackOK,eol], length 0 17:47:02.779654 IP 192.168.0.3.57441 > domain.local.rockwell-csp2: Flags [s], seq 1881700303, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1263751818 ecr 0,sackOK,eol], length 0 17:47:06.788510 IP 192.168.0.3.57441 > domain.local.rockwell-csp2: Flags [s], seq 1881700303, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1263755818 ecr 0,sackOK,eol], length 0 17:47:14.800564 IP 192.168.0.3.57441 > domain.local.rockwell-csp2: Flags [s], seq 1881700303, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1263763818 ecr 0,sackOK,eol], length 0 17:47:30.826908 IP 192.168.0.3.57441 > domain.local.rockwell-csp2: Flags [s], seq 1881700303, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1263779818 ecr 0,sackOK,eol], length 0 17:48:02.879095 IP 192.168.0.3.57441 > domain.local.rockwell-csp2: Flags [s], seq 1881700303, win 65535, options [mss 1460,sackOK,eol], length 0+ and in the server nothing: [code] tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on vmx0, link-type EN10MB (Ethernet), capture size 65535 bytes ^C 0 packets captured 7477 packets received by filter 0 packets dropped by kernel [/code] I see nothing in the client output, looks correct right? PD: If I try to test the port putting the wan ip in the pfsense test port, pfsense said 'Connection failed.'[/s][/s][/s][/s][/s][/s][/s][/s][/s][/s][/s] -
https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
-
https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
Thanks for the info, I checked the list but everything is ok, I don't see any package, I try to move the ssh server to port 53(dns) temporally and test it, and works fine, I can see how the server take the packages so, after this I tried to add a block rule to port 53 and works too, I'm using this server to experiment with haproxy, it's possible the haproxy is doing something?
I think there is something blocking the traffic to the server, because the tcpdump always get the packets right? even if you have different services, tcpdump just show you the packages in the interfaces, so if I have not packages there is something in front the server blocking these ports right?
-
Well after talk with my server provider and check his network everything is running fine, they was using a firewall in front my server, thanks everyone for help me!
