CanYouSeeMe reports errors for my port forward, can't figure out why.

Derelict · Sep 2, 2017, 8:35 PM

Connection refused means the test server received a RST,ACK instead of a SYN,ACK when it tried to connect.

This probably means the ports are being forwarded to something that is refusing the connection for some reason. This is often a local firewall on the target device rejecting connections from outside its local subnet. It could also mean the target server is not listening on the port that is forwarded to it.

You will probably have to post more details about exactly what you have forwarded, on what interface, to where.

nicolaj · Sep 2, 2017, 9:28 PM

The entire network map looks like this. ISP > igb0 > pfsense > igb1(192.168.1.1) > n56u switch(192.168.1.2) > 192.168.1.101 win2012 & 192.168.1.100 win8.1.

49998 is forwarded from 192.168.1.1 to 192.168.1.101
49999 is forwarded from 192.168.1.1 to 192.168.1.100

win8 and win2012 both have local firewall on, but no errors on anything refused.

Derelict · Sep 2, 2017, 8:51 PM

You can't have 192.168.1.0/24 on both sides of the firewall (or any router). You will have to change one of them.

nicolaj · Sep 2, 2017, 8:52 PM

What do you mean "both sides" ?

Derelict · Sep 2, 2017, 9:14 PM

49998 is forwarded from 192.168.1.1 to 192.168.1.101
49999 is forwarded from 192.168.1.1 to 192.168.1.100

Sorry. Your diagram is lame.

That looks to indicate your WAN is also 192.168.1.1.

How about screen shots instead.

nicolaj · Sep 2, 2017, 9:28 PM

ISP is wan. How would you type it? I suppose i could move the ip to igb1.
Which page you want me to screenshot ?

Derelict · Sep 2, 2017, 10:37 PM

The port forwards and the corresponding firewall rules.

nicolaj · Sep 2, 2017, 11:57 PM

Aren't those the once i attached in the OP ?

Derelict · Sep 3, 2017, 12:31 AM

Ugh yeah. Sorry.

What does a packet capture on WAN show filtered on one of those ports when you test to that port?

nicolaj · Sep 3, 2017, 12:43 AM

You want me to post the whole thing. Should i blank out ips ?
I started it entering 49998 in the port and let it run for 5 secs while i used CanYouSeeMe. The majority is tcp, but there's some udp in there as well.

Edit: So i just did i with 49999 instead as that is used a lot less. I got 4 of these "tcp 0" from the same ip:port to my wan ip:49999 and i used CanYouSeeMe meanwhile testing port 49999.

Derelict · Sep 3, 2017, 12:51 AM

Capture and post with detail full. Whether or not you edit out your WAN address is up to you. If you don't want to just send a PM. If you do obfuscate please make it clear where the WAN address was. like use WAN_ADDRESS or something.

nicolaj · Sep 3, 2017, 1:00 AM


02:56:34.878134 08:81:f4:86:b7:98 > 00:0e:c4:d2:7e:3d, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 47, id 50153, offset 0, flags [DF], proto TCP (6), length 60)
    52.202.215.126.37066 > wanip.49999: Flags [s], cksum 0x2d18 (correct), seq 2675922233, win 26883, options [mss 1460,sackOK,TS val 461412048 ecr 0,nop,wscale 7], length 0
02:56:35.874878 08:81:f4:86:b7:98 > 00:0e:c4:d2:7e:3d, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 47, id 50154, offset 0, flags [DF], proto TCP (6), length 60)
    52.202.215.126.37066 > wanip.49999: Flags [s], cksum 0x2c1e (correct), seq 2675922233, win 26883, options [mss 1460,sackOK,TS val 461412298 ecr 0,nop,wscale 7], length 0
02:56:37.879009 08:81:f4:86:b7:98 > 00:0e:c4:d2:7e:3d, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 47, id 50155, offset 0, flags [DF], proto TCP (6), length 60)
    52.202.215.126.37066 > wanip.49999: Flags [s], cksum 0x2a29 (correct), seq 2675922233, win 26883, options [mss 1460,sackOK,TS val 461412799 ecr 0,nop,wscale 7], length 0
02:56:41.882870 08:81:f4:86:b7:98 > 00:0e:c4:d2:7e:3d, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 47, id 50156, offset 0, flags [DF], proto TCP (6), length 60)
    52.202.215.126.37066 > wanip.49999: Flags [s], cksum 0x2640 (correct), seq 2675922233, win 26883, options [mss 1460,sackOK,TS val 461413800 ecr 0,nop,wscale 7], length 0

[/s][/s][/s][/s]

Derelict · Sep 3, 2017, 1:01 AM

OK do the same thing filtering on the same port but on the inside interface with the target host on it - such as LAN.

You should see traffic sourced from the same 52.202.215.126 address (or maybe a different one in the canuseeme pool) but the destination will be 192.168.1.100.49999

nicolaj · Sep 3, 2017, 1:04 AM

03:03:16.899181 00:0e:c4:d2:7e:3e > d8:cb:8a:9f:98:4c, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 45, id 24425, offset 0, flags [DF], proto TCP (6), length 60)
    52.202.215.126.37581 > 192.168.1.100.49999: Flags [s], cksum 0x880c (correct), seq 3079553026, win 26883, options [mss 1460,sackOK,TS val 461512555 ecr 0,nop,wscale 7], length 0
03:03:17.898866 00:0e:c4:d2:7e:3e > d8:cb:8a:9f:98:4c, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 45, id 24426, offset 0, flags [DF], proto TCP (6), length 60)
    52.202.215.126.37581 > 192.168.1.100.49999: Flags [s], cksum 0x8712 (correct), seq 3079553026, win 26883, options [mss 1460,sackOK,TS val 461512805 ecr 0,nop,wscale 7], length 0
03:03:19.902765 00:0e:c4:d2:7e:3e > d8:cb:8a:9f:98:4c, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 45, id 24427, offset 0, flags [DF], proto TCP (6), length 60)
    52.202.215.126.37581 > 192.168.1.100.49999: Flags [s], cksum 0x851d (correct), seq 3079553026, win 26883, options [mss 1460,sackOK,TS val 461513306 ecr 0,nop,wscale 7], length 0
03:03:23.910745 00:0e:c4:d2:7e:3e > d8:cb:8a:9f:98:4c, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 45, id 24428, offset 0, flags [DF], proto TCP (6), length 60)
    52.202.215.126.37581 > 192.168.1.100.49999: Flags [s], cksum 0x8133 (correct), seq 3079553026, win 26883, options [mss 1460,sackOK,TS val 461514308 ecr 0,nop,wscale 7], length 0

Like that?[/s][/s][/s][/s]

Derelict · Sep 3, 2017, 1:10 AM

Yeah. So pfsense is doing everything right. It is translating the destination address and sending out the local interface.

There is no response from the target host.

The short list is:

1. Firewall (think windows firewall) on 192.168.1.100 blocking the connection sourced from the "foreign address"
2. default gateway on 192.168.1.100 pointing somewhere other than pfSense.

Long list: https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

nicolaj · Sep 3, 2017, 1:26 AM

These are the network details, which rules out #2. So in theory it's windows firewall or we're certain it's windows firewall?
But i have 0 errors or anything in windows firewall, would you happen to know how to view denied requests?
I don't have any network modifying apps installed, and it's just default windows firewall setting. On my desktop i got stuff like steam, dropbox, afterburner etc. installed. Nothing out of the ordinary.

Derelict · Sep 3, 2017, 1:25 AM

No theory. Look at the PCAPs. They don't lie. SYN, SYN, SYN, SYN (represented there by [ S ]) and no SYN/ACK from the target.

There is a standard surrounding how TCP connections are established. https://en.wikipedia.org/wiki/Transmission_Control_Protocol

The next step in the handshake is a SYN,ACK from the server, which will be represented looking something like this there:


192.168.1.100.49999 > 52.202.215.126.37581: Flags [S.]

nicolaj · Sep 3, 2017, 1:29 AM

Allright. You have any idea how to find that in windows firewall, i've looked everywhere in advanced settings and it's just all green. No errors anywhere.
Oh, and now we're talking windows firewall. Is there actually a point in having it running at the same time as pfsense firewall?
Sure it's stopping a canyouseeme request, but i was literally punching in the port number on the website, nothing i'd normally be doing.

Derelict · Sep 3, 2017, 1:36 AM

idk man. that is a call you will have to make.

nicolaj · Sep 3, 2017, 1:49 AM

Event viewer shows nothing as well. I have zero idea how those requests are getting rejected.
Edit: Even tried manually adding the ports to a rule in win firewall, no change.