NAT/Port Forwarding not working

Derelict

Yup. That should be working. Check the settings (gateway, firewall, etc) on the target device. Use the list in that link.

tarunmurthy

I have used all the recommendations from https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

Still doesn't work.

The devices are pretty straightforward, I just have the option to input the IP, Port and gateway. The gateway on the devices are set to the pfSense IP. They do not have a firewall. It's an IP camera.

Am I missing anything else??

I am at the verge of throwing this and going back to using a consumer router again, but honestly I do not want to. This thing is great except the complexity in getting this right.

The logs do not show any incoming connection with that specific port being used for forwarding. The incoming port on WAN may be randomized, I also tried setting it as a Static port, still no go.

Derelict

Port forwarding works fine.

Honestly check (really check) everything on that list. It is almost certainly one of those things.

Your screen shots indicate everything is set correctly on pfSense which leaves something off the firewall like the traffic never actually arriving on WAN or the traffic to the target device being filtered or its responses are being sent somewhere else.

You are certain that all of those wireless routers are not actually acting as routers?

How about redoing your diagram with the actual, inside IP addresses identified (there is little - if any - reason to hide those and it only hinders being able to help you). That will help determine if a mistake has been made there.

johnpoz

"The logs do not show any incoming connection with that specific port being used for forwarding"

Well then how could pfsense forward any traffic?  If you sniff on wan on port 8086 and your remote client tries to hit 8086 and you do not see this traffic then no it will never work..

This is step in troubleshooting guide you said you went through.  So are you seeing this traffic or not?  If your not seeing it then pfsense can never forward.  If you see it, then sniff on your lan interface does pfsense send the traffic on to your .150 address?

tarunmurthy

@Derelict:

Port forwarding works fine.

Honestly check (really check) everything on that list. It is almost certainly one of those things.

Your screen shots indicate everything is set correctly on pfSense which leaves something off the firewall like the traffic never actually arriving on WAN or the traffic to the target device being filtered or its responses are being sent somewhere else.

You mean the firewall logs on the pfSense? Let me take a dig at it again. Will try and get you some screenshots. Maybe I am missing out some details there. There are quite a few blocked entries there, but none of them are related to the forwarded port numbers.

Any tips on things I should really look out for??

johnpoz

Your best bet is simple sniff on your pfsense wan to actually validate that your traffic is even getting to pfsense on 8086..

Troubleshooting port forwarding should only take you a few minutes.

Does the traffic get there, does pfsense send it on - does the client send an answer once you see pfsense send it on, etc.

tarunmurthy

@johnpoz:

Your best bet is simple sniff on your pfsense wan to actually validate that your traffic is even getting to pfsense on 8086..

Troubleshooting port forwarding should only take you a few minutes.

Does the traffic get there, does pfsense send it on - does the client send an answer once you see pfsense send it on, etc.

I will try that now. I really do not know how to do the port sniff, I will try and get some info around that.

Meanwhile, I really want to thank you for helping me out in this. Appreciate it a lot fellas.

KOM

I really do not know how to do the port sniff, I will try and get some info around that.

Diagnostics - Packet Capture

tarunmurthy

You were right, there is no traffic coming in to the WAN connection using that port. I scanned through each and every line item in the log.

I used my cellphone Chrome browser:
browsed to http://domain.dyndns.com:8086 - no incoming traffic using that port number
browsed to http://mypublicIP:8086 - no incoming traffic

I even tried with just WAN 1 (my primary ISP who provides a public IP), still no traffic coming in.

I see some really random port numbers on some entries.
23:24:54.032893 IP 100.xx.xxx.88.25933 > 151.xxx.xxx.xx6.20064: UDP, length 103

Edit:
I connected my old router back and it works fine on that. I am able to ping my public IP using both IP and DynDNS domain and able to get to my IP cameras.

Something, some where is getting blocked.

johnpoz

Yeah lots noise on the net..

Pfsense can not forward what it does not see..

A simple way to if traffic can get to your public IP on a tcp port is canyouseeme.org

If your sending traffic to your IP and port and its not getting there, then something in front of pfsense is blocking it.  ISP?  ISP device in front of pfsense, etc.

edit: if your changing the router connected I assume your getting a different public IP.. Maybe that port is blocked that IP, try changing mac on pfsense to mimic mac on your old router so you get the same IP, etc.

But again pfsense can not forward what it does not see.

You sure your not getting a nat reflection when you use the old router?  Ie your cellphone on your wireless network.. If your going to test with phones you need to validate they are non on your local wifi network.

Derelict

Diagnostics > Packet Capture on the appropriate WAN interface on port 8086.

Try to connect

Stop the capture

If there is nothing there, the traffic isn't hitting WAN.

If there is something, then packet capture on LAN

If you see the traffic going out, the port forward is working. If there is no response, check that host.

Grimson

@tarunmurthy:

I used my cellphone Chrome browser:

Just to be sure: WLAN was off on the phone when you did the test?

tarunmurthy

@johnpoz:

edit: if your changing the router connected I assume your getting a different public IP.. Maybe that port is blocked that IP, try changing mac on pfsense to mimic mac on your old router so you get the same IP, etc.

The public IP changes when I reboot the router and a new connection is established. ISP 1 is providing a dynamic public IP, a reboot is needed. That is why I am using DynDNS service to sync my public IP with my domain.

@johnpoz:

You sure your not getting a nat reflection when you use the old router?  Ie your cellphone on your wireless network.. If your going to test with phones you need to validate they are non on your local wifi network.

I am absolutely sure of using my cellphones 4G network. Wi-Fi is always OFF when I am testing this.

@Derelict:

Diagnostics > Packet Capture on the appropriate WAN interface on port 8086.

Try to connect

Stop the capture

If there is nothing there, the traffic isn't hitting WAN.

If there is something, then packet capture on LAN

If you see the traffic going out, the port forward is working. If there is no response, check that host.

Still no go, the traffic does not seem to be hitting the WAN IP address for some reason.

@Grimson:

Just to be sure: WLAN was off on the phone when you did the test?

Yes absolutely, my cellphone is always on 4G network while testing.

johnpoz

"the traffic does not seem to be hitting the WAN IP address for some reason."

Then the block is upstream.. Pfsense can not forward what it does not see, end of story. Get with your ISP on why traffic on on port X does not get to you.

Derelict

And the firewall logs will not include passed traffic unless you explicitly tell that pass rule to log.

You need to be looking exclusively at packet captures, pretty much.