Some Port Forwarding some not?
-
OK then, post screens of your NAT and WAN rules.
-
Kom thanks for taking the time here.
I posted what you requested and including the alaises.
![NAT Rules.jpg](/public/imported_attachments/1/NAT Rules.jpg)
![NAT Rules.jpg_thumb](/public/imported_attachments/1/NAT Rules.jpg_thumb)
![WAN Rules.jpg](/public/imported_attachments/1/WAN Rules.jpg)
![WAN Rules.jpg_thumb](/public/imported_attachments/1/WAN Rules.jpg_thumb)
![port alias.jpg](/public/imported_attachments/1/port alias.jpg)
![port alias.jpg_thumb](/public/imported_attachments/1/port alias.jpg_thumb) -
That looks good. You're sure you're not running WebGUI on 80? Check your web server's access log. Do you see anything? The rule shows that some traffic (69KB) has been processed. You could also run packet captured on WAN and LAN to see what's going on with the traffic. Have you gone through this doc yet:
https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
-
sockstat -P tcp | grep :80
-
49152 to 65535.. That is a shitton of passive ports.. Do you really plan on have like 16000 some users on your ftp server at the same time?
You have your printer open to the public internet?? Are you wanting printouts of goatse or something? Why do you have 1900 open to your plex.. That is sure not required for remote access to your plex..
-
49152 to 65535.. That is a shitton of passive ports.. Do you really plan on have like 16000 some users on your ftp server at the same time?
Probably some popular pr0n FTP server. :D
-
@doktornotor I tried your sockstat command and it came back as blank in ssh.
@Kom "Not running WebGui on 80" I believe I'm not, is there any other spot it would need changing then the "System>Advance>Admin Access" top 3 config items? Protocol, SSL Cert, TCP Port I am providing my screen.
I am wondering I if should start with a fresh install and open the ports first, just have a lot of settings. I guess I can back up the critical settings individually and start new then load those that are basic (dhcp, interfaces, alias, vlans)
-
is there any other spot
No I think that's it. Did you go through the troubleshooting guide item by item? Did you try any of my suggestions, like checking your server log or doing a packet capture?
-
Have you unticked the WebGUI redirect in System > Advanced > Admin Access?
-
Doktornotor, it was checked. I did just uncheck it and still same issue.
Wouldn't this be checked, since I do not want it to bypass the listening port I have configured? Thats what I am reading into it.
WebGUI redirect - Disable webConfigurator redirect rule
When this is unchecked, access to the webConfigurator is always permitted even on port 80, regardless of the listening port configured. Check this box to disable this automatically added redirect rule.@Kom, i did as stated under #5, did a port capture on WAN first then I did local IP. Wan is in attachment looks like there is some traffic, but local IP had no traffic in the capture. Can I assume between Wan and local its trapped or not getting down?
I also checked the states section , and see no traffic coming inbound to port 80 so they look to be conflicting outputs.
I have another PC available, I think I will create a new pfsense box 'plain vanilla' and try from scratch to see if that works. Greatly appreciate all your inputs that have been useful. I will let you know if the new box does open the port.
[iphone to IP and www.txt](/public/imported_attachments/1/iphone to IP and www.txt)
-
I meant to disable the redirect. (No idea what's the current state of "tick this to disable that" code review, probably went nowhere.)
Other than that, there are logs and packet capture. No point in another 20 random guesses. E.g., 80 is often blocked by ISPs for SOHO customers.
-
Totally Perplexing now. Fired up a new clean install pfsense, Just one NAT forwarding for HTTP and still no visible webserver. Ok time to call ISP again. Called yesterday and they said they are not blocking 80 and all dns records are correctly configured.
-
Can I assume between Wan and local its trapped or not getting down?
Perhaps. How are you testing again? From he WAN side or LAN side?
-
Why do you need to call the ISP to see if they are blocking.. A 2 second test of packet capture on wan - and then going to something like can you see me . org tells you right away if 80 is allowed inbound to your IP..
You can call your ISP all you want, but until you do this simple test your not going to have proof one way or the other..