Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT/Port Forwarding not working

    Scheduled Pinned Locked Moved NAT
    18 Posts 5 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ
      johnpoz LAYER 8 Global Moderator
      last edited by

      "The logs do not show any incoming connection with that specific port being used for forwarding"

      Well then how could pfsense forward any traffic?  If you sniff on wan on port 8086 and your remote client tries to hit 8086 and you do not see this traffic then no it will never work..

      This is step in troubleshooting guide you said you went through.  So are you seeing this traffic or not?  If your not seeing it then pfsense can never forward.  If you see it, then sniff on your lan interface does pfsense send the traffic on to your .150 address?

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 0
      • T
        tarunmurthy
        last edited by

        @Derelict:

        Port forwarding works fine.

        Honestly check (really check) everything on that list. It is almost certainly one of those things.

        Your screen shots indicate everything is set correctly on pfSense which leaves something off the firewall like the traffic never actually arriving on WAN or the traffic to the target device being filtered or its responses are being sent somewhere else.

        You mean the firewall logs on the pfSense? Let me take a dig at it again. Will try and get you some screenshots. Maybe I am missing out some details there. There are quite a few blocked entries there, but none of them are related to the forwarded port numbers.

        Any tips on things I should really look out for??

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          Your best bet is simple sniff on your pfsense wan to actually validate that your traffic is even getting to pfsense on 8086..

          Troubleshooting port forwarding should only take you a few minutes.

          Does the traffic get there, does pfsense send it on - does the client send an answer once you see pfsense send it on, etc.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • T
            tarunmurthy
            last edited by

            @johnpoz:

            Your best bet is simple sniff on your pfsense wan to actually validate that your traffic is even getting to pfsense on 8086..

            Troubleshooting port forwarding should only take you a few minutes.

            Does the traffic get there, does pfsense send it on - does the client send an answer once you see pfsense send it on, etc.

            I will try that now. I really do not know how to do the port sniff, I will try and get some info around that.

            Meanwhile, I really want to thank you for helping me out in this. Appreciate it a lot fellas.

            1 Reply Last reply Reply Quote 0
            • KOMK
              KOM
              last edited by

              I really do not know how to do the port sniff, I will try and get some info around that.

              Diagnostics - Packet Capture

              1 Reply Last reply Reply Quote 0
              • T
                tarunmurthy
                last edited by

                You were right, there is no traffic coming in to the WAN connection using that port. I scanned through each and every line item in the log.

                I used my cellphone Chrome browser:
                browsed to http://domain.dyndns.com:8086 - no incoming traffic using that port number
                browsed to http://mypublicIP:8086 - no incoming traffic

                I even tried with just WAN 1 (my primary ISP who provides a public IP), still no traffic coming in.

                I see some really random port numbers on some entries.
                23:24:54.032893 IP 100.xx.xxx.88.25933 > 151.xxx.xxx.xx6.20064: UDP, length 103

                Edit:
                I connected my old router back and it works fine on that. I am able to ping my public IP using both IP and DynDNS domain and able to get to my IP cameras.

                Something, some where is getting blocked.

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  Yeah lots noise on the net..

                  Pfsense can not forward what it does not see..

                  A simple way to if traffic can get to your public IP on a tcp port is canyouseeme.org

                  If your sending traffic to your IP and port and its not getting there, then something in front of pfsense is blocking it.  ISP?  ISP device in front of pfsense, etc.

                  edit: if your changing the router connected I assume your getting a different public IP.. Maybe that port is blocked that IP, try changing mac on pfsense to mimic mac on your old router so you get the same IP, etc.

                  But again pfsense can not forward what it does not see.

                  You sure your not getting a nat reflection when you use the old router?  Ie your cellphone on your wireless network.. If your going to test with phones you need to validate they are non on your local wifi network.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    Diagnostics > Packet Capture on the appropriate WAN interface on port 8086.

                    Try to connect

                    Stop the capture

                    If there is nothing there, the traffic isn't hitting WAN.

                    If there is something, then packet capture on LAN

                    If you see the traffic going out, the port forward is working. If there is no response, check that host.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • GrimsonG
                      Grimson Banned
                      last edited by

                      @tarunmurthy:

                      I used my cellphone Chrome browser:

                      Just to be sure: WLAN was off on the phone when you did the test?

                      1 Reply Last reply Reply Quote 0
                      • T
                        tarunmurthy
                        last edited by

                        @johnpoz:

                        edit: if your changing the router connected I assume your getting a different public IP.. Maybe that port is blocked that IP, try changing mac on pfsense to mimic mac on your old router so you get the same IP, etc.

                        The public IP changes when I reboot the router and a new connection is established. ISP 1 is providing a dynamic public IP, a reboot is needed. That is why I am using DynDNS service to sync my public IP with my domain.

                        @johnpoz:

                        You sure your not getting a nat reflection when you use the old router?  Ie your cellphone on your wireless network.. If your going to test with phones you need to validate they are non on your local wifi network.

                        I am absolutely sure of using my cellphones 4G network. Wi-Fi is always OFF when I am testing this.

                        @Derelict:

                        Diagnostics > Packet Capture on the appropriate WAN interface on port 8086.

                        Try to connect

                        Stop the capture

                        If there is nothing there, the traffic isn't hitting WAN.

                        If there is something, then packet capture on LAN

                        If you see the traffic going out, the port forward is working. If there is no response, check that host.

                        Still no go, the traffic does not seem to be hitting the WAN IP address for some reason.

                        @Grimson:

                        Just to be sure: WLAN was off on the phone when you did the test?

                        Yes absolutely, my cellphone is always on 4G network while testing.

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          "the traffic does not seem to be hitting the WAN IP address for some reason."

                          Then the block is upstream.. Pfsense can not forward what it does not see, end of story. Get with your ISP on why traffic on on port X does not get to you.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • DerelictD
                            Derelict LAYER 8 Netgate
                            last edited by

                            And the firewall logs will not include passed traffic unless you explicitly tell that pass rule to log.

                            You need to be looking exclusively at packet captures, pretty much.

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.