CanYouSeeMe reports errors for my port forward, can't figure out why.

nicolaj

What do you mean "both sides" ?

Derelict

49998 is forwarded from 192.168.1.1 to 192.168.1.101
49999 is forwarded from 192.168.1.1 to 192.168.1.100

Sorry. Your diagram is lame.

That looks to indicate your WAN is also 192.168.1.1.

How about screen shots instead.

nicolaj

ISP is wan. How would you type it? I suppose i could move the ip to igb1.
Which page you want me to screenshot ?

Derelict

The port forwards and the corresponding firewall rules.

nicolaj

Aren't those the once i attached in the OP ?

Derelict

Ugh yeah. Sorry.

What does a packet capture on WAN show filtered on one of those ports when you test to that port?

nicolaj

You want me to post the whole thing. Should i blank out ips ?
I started it entering 49998 in the port and let it run for 5 secs while i used CanYouSeeMe. The majority is tcp, but there's some udp in there as well.

Edit: So i just did i with 49999 instead as that is used a lot less. I got 4 of these "tcp 0" from the same ip:port to my wan ip:49999 and i used CanYouSeeMe meanwhile testing port 49999.

Derelict

Capture and post with detail full. Whether or not you edit out your WAN address is up to you. If you don't want to just send a PM. If you do obfuscate please make it clear where the WAN address was. like use WAN_ADDRESS or something.

nicolaj

02:56:34.878134 08:81:f4:86:b7:98 > 00:0e:c4:d2:7e:3d, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 47, id 50153, offset 0, flags [DF], proto TCP (6), length 60)
    52.202.215.126.37066 > wanip.49999: Flags [s], cksum 0x2d18 (correct), seq 2675922233, win 26883, options [mss 1460,sackOK,TS val 461412048 ecr 0,nop,wscale 7], length 0
02:56:35.874878 08:81:f4:86:b7:98 > 00:0e:c4:d2:7e:3d, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 47, id 50154, offset 0, flags [DF], proto TCP (6), length 60)
    52.202.215.126.37066 > wanip.49999: Flags [s], cksum 0x2c1e (correct), seq 2675922233, win 26883, options [mss 1460,sackOK,TS val 461412298 ecr 0,nop,wscale 7], length 0
02:56:37.879009 08:81:f4:86:b7:98 > 00:0e:c4:d2:7e:3d, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 47, id 50155, offset 0, flags [DF], proto TCP (6), length 60)
    52.202.215.126.37066 > wanip.49999: Flags [s], cksum 0x2a29 (correct), seq 2675922233, win 26883, options [mss 1460,sackOK,TS val 461412799 ecr 0,nop,wscale 7], length 0
02:56:41.882870 08:81:f4:86:b7:98 > 00:0e:c4:d2:7e:3d, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 47, id 50156, offset 0, flags [DF], proto TCP (6), length 60)
    52.202.215.126.37066 > wanip.49999: Flags [s], cksum 0x2640 (correct), seq 2675922233, win 26883, options [mss 1460,sackOK,TS val 461413800 ecr 0,nop,wscale 7], length 0

[/s][/s][/s][/s]

Derelict

OK do the same thing filtering on the same port but on the inside interface with the target host on it - such as LAN.

You should see traffic sourced from the same 52.202.215.126 address (or maybe a different one in the canuseeme pool) but the destination will be 192.168.1.100.49999

nicolaj

03:03:16.899181 00:0e:c4:d2:7e:3e > d8:cb:8a:9f:98:4c, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 45, id 24425, offset 0, flags [DF], proto TCP (6), length 60)
    52.202.215.126.37581 > 192.168.1.100.49999: Flags [s], cksum 0x880c (correct), seq 3079553026, win 26883, options [mss 1460,sackOK,TS val 461512555 ecr 0,nop,wscale 7], length 0
03:03:17.898866 00:0e:c4:d2:7e:3e > d8:cb:8a:9f:98:4c, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 45, id 24426, offset 0, flags [DF], proto TCP (6), length 60)
    52.202.215.126.37581 > 192.168.1.100.49999: Flags [s], cksum 0x8712 (correct), seq 3079553026, win 26883, options [mss 1460,sackOK,TS val 461512805 ecr 0,nop,wscale 7], length 0
03:03:19.902765 00:0e:c4:d2:7e:3e > d8:cb:8a:9f:98:4c, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 45, id 24427, offset 0, flags [DF], proto TCP (6), length 60)
    52.202.215.126.37581 > 192.168.1.100.49999: Flags [s], cksum 0x851d (correct), seq 3079553026, win 26883, options [mss 1460,sackOK,TS val 461513306 ecr 0,nop,wscale 7], length 0
03:03:23.910745 00:0e:c4:d2:7e:3e > d8:cb:8a:9f:98:4c, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 45, id 24428, offset 0, flags [DF], proto TCP (6), length 60)
    52.202.215.126.37581 > 192.168.1.100.49999: Flags [s], cksum 0x8133 (correct), seq 3079553026, win 26883, options [mss 1460,sackOK,TS val 461514308 ecr 0,nop,wscale 7], length 0

Like that?[/s][/s][/s][/s]

Derelict

Yeah. So pfsense is doing everything right. It is translating the destination address and sending out the local interface.

There is no response from the target host.

The short list is:

1. Firewall (think windows firewall) on 192.168.1.100 blocking the connection sourced from the "foreign address"
2. default gateway on 192.168.1.100 pointing somewhere other than pfSense.

Long list: https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

nicolaj

These are the network details, which rules out #2. So in theory it's windows firewall or we're certain it's windows firewall?
But i have 0 errors or anything in windows firewall, would you happen to know how to view denied requests?
I don't have any network modifying apps installed, and it's just default windows firewall setting. On my desktop i got stuff like steam, dropbox, afterburner etc. installed. Nothing out of the ordinary.

Derelict

No theory. Look at the PCAPs. They don't lie. SYN, SYN, SYN, SYN (represented there by [ S ]) and no SYN/ACK from the target.

There is a standard surrounding how TCP connections are established. https://en.wikipedia.org/wiki/Transmission_Control_Protocol

The next step in the handshake is a SYN,ACK from the server, which will be represented looking something like this there:

192.168.1.100.49999 > 52.202.215.126.37581: Flags [S.]

nicolaj

Allright. You have any idea how to find that in windows firewall, i've looked everywhere in advanced settings and it's just all green. No errors anywhere.
Oh, and now we're talking windows firewall. Is there actually a point in having it running at the same time as pfsense firewall?
Sure it's stopping a canyouseeme request, but i was literally punching in the port number on the website, nothing i'd normally be doing.

Derelict

idk man. that is a call you will have to make.

nicolaj

Event viewer shows nothing as well. I have zero idea how those requests are getting rejected.
Edit: Even tried manually adding the ports to a rule in win firewall, no change.

Derelict

Disable the firewall and test again. PCAP on the host itself. www.wireshark.org

nicolaj

Disabling firewall did nothing, so it must be deeper than that. But thanks for the help.

Edit: With firewall on i get "Reason: Connection timed out". With firewall off i get "Reason: Connection refused" from canyouseeme.
Edit2: it's 4.06, i'm tired. Might explain it. But i kinda forgot that you have to have a program running that accepts that connection on that port while doing the canyouseeme test. With firewall off i now have a successful test. Firewall on still fails even tho the firewall has a costume rule for that port.

Derelict

Then look at the application itself to see why it might be refusing connections from the canyouseeme address.

But I saw nothing in the pcaps you showed to indicate you would have been receiving connection refused there. It should have been receiving connection timed out with no response going back.