How do I test if something is being blocked, or find out what teh firewall is actually blocking on incoming connections?

nafeasonto

Out of no where, something is being blocked coming in to my connection, it's a game. (Unspoken for Rift).

Is there way to see if the firewall itself is blocking it, or the ISP? I do NOT know which ports this game communicates on for P2P protocol, but I have been playing this game for year and 1/2, and all ofa sudden of out of now here no one can connect. And i know it's me, because no one else has this issue.

As far as I know Verizon FIOS doesn't block anything.

Anyway to see what the firewall is blocking, or just let EVERYTHING just come thorough just for the purpose of testing, so I can rule if it's the firewall or not. Becawuse i didn't change anything from last night to today.

I also know it's something on my end, because if my friend goes into my personal VPN, we can connect and play fine and the P2P works. I am the only one out of 30 people, who have this issue. So it's either the PFSENSE or the ISP.

Edit: It's definitely the PFSense firewall (Went direct connect from my ISP modem), why out of no where would the firewall start blocking this?

Gertjan

Hi,

Why did you install pfSense ?
And this question might seem stupid, but do you know what the principal job of pfSense is ? => Hint !

There is know such thing as "pfSense blocks every incoming connection except ..."
It's a 100 % : block everything until you decided otherwise.
Every Firewall on planet earth behaves the same way.

pfSense doesn't know what "Rift" is, so maybe it's time to inform it how to handle to permit traffic coming in for your game ?
That's the job of you, the admin of pfSense.

@nafeasonto said in How do I test if something is being blocked, or find out what teh firewall is actually blocking on incoming connections?:

I do NOT know which ports this game communicates

My initial thoughts were : Get an internet connection, and visit Google and type in the question ... if ports are needed, you'll be getting a answer on the first lien. This very important info is also lentuionned in the games FAQ, manual, support site, game community, etc. This is how things are done by serious game editors.

firewall port Unspoken Rift : incoming (== NAT !) is probably needed but true, it's not clear at all ....
I've been reading several posts about Rift, they all mention different ports .... it's a mess.

johnpoz

Where you using UPnP to allow your inbound ports for your game?

Why would you game need inbound ports? Are you hosting a session - and other users can not connect to you?

As mentioned by Gertjan, out of the box ALL unsolicited inbound traffic would be blocked, so if it "ever" was working with pfsense you had either created the port forwards, or were using UPnP?

Going to need more info to help you.

On a bit of side note - What fios box do you have, more than likely it is doing nat as well, so for your game to allow for inbound traffic connected to it - have to assume it has UPnP enabled? Does pfsense or the device you connect to your isp box get a public IP or does it start with 192.168.x.x, 172.16-31.x.x or 10.x.x.x ?

Do you really need inbound? Or are you running say say IPS package, or Proxy or Pfblocker that could be preventing you from connecting to your game server outbound?

nafeasonto

@johnpoz i tried disabling pfblockerng, same thing. This makes zero sense as it happened out of no where. Nothing changed from me playing the game six hours ago before it happened. It's the same thing that happened with cnc online private services where I could connect to anyone and visa versa.

Once again I know it's pfsense as any directed vpn connection to my network alleviates that. It makes no sense why suddenly the firewall tells me to screw off after a year.

I went into the log and see thr port the game is trying to come through, regardless I allowed EVERYTHING in from my friends IP address regardless of port or protocol, but the firewall still seems obsessed with blocking it regardless.

It keeps denying the rule, while it shouldn't be denying anything from him.

Gertjan

@nafeasonto said in How do I test if something is being blocked, or find out what teh firewall is actually blocking on incoming connections?:

I allowed EVERYTHING in from my friends IP address

The game server is hosted at your friend's place ?

johnpoz

@nafeasonto said in How do I test if something is being blocked, or find out what teh firewall is actually blocking on incoming connections?:

It keeps denying the rule, while it shouldn't be denying anything from him.

So you see his IP listed in the firewall rule as blocked?

You understand that just a firewall rule is not enough to forward traffic inbound to your PC/Box the game is on right?

Please post up the firewall logs showing these blocks that are happening. Pfsense out of the box will log all traffic blocked by the default block rule.

In which direction is the traffic being initiated? Are you sending the syn to his IP, or is he sending SYN to your public IP?

A vpn service do not allow inbound traffic to the vpn client, unless specifically setup.. And very few vpn services even allow this at all. So if your saying you can connect to him when you use a vpn on your client points to you initiating the connection.. Maybe your isp is having problem reaching his IP, maybe he is blocking your IP..

There is not near enough info to help you here..

nafeasonto

@johnpoz I will explain more when I get home. Thanks for taking the time.

nafeasonto

@johnpoz said in How do I test if something is being blocked, or find out what teh firewall is actually blocking on incoming connections?:

@nafeasonto said in How do I test if something is being blocked, or find out what teh firewall is actually blocking on incoming connections?:

It keeps denying the rule, while it shouldn't be denying anything from him.

So you see his IP listed in the firewall rule as blocked?

You understand that just a firewall rule is not enough to forward traffic inbound to your PC/Box the game is on right?

Please post up the firewall logs showing these blocks that are happening. Pfsense out of the box will log all traffic blocked by the default block rule.

In which direction is the traffic being initiated? Are you sending the syn to his IP, or is he sending SYN to your public IP?

A vpn service do not allow inbound traffic to the vpn client, unless specifically setup.. And very few vpn services even allow this at all. So if your saying you can connect to him when you use a vpn on your client points to you initiating the connection.. Maybe your isp is having problem reaching his IP, maybe he is blocking your IP..

There is not near enough info to help you here..

So I can explain this as I best I can.

When you are in "que" for this game, you randomly connect with someone to play with.' You can also do a direct invite. Regardless how you do it, it's direct connection between the two players, there is no back end server.

Getting the logs this is what happening (like I said before, this has NEVEr happened before). I changed nothing in my rules, or anything for that matter. So I don't understand why all of a sudden this would start blocking ANYTHING between the two connections:

And yes the VPN is allowing the connection as I made it a bridged connection.

AAAAnd it's working again. The only difference now is I updated the firewall firmware (the latest dev branch). SOmething isn't right here.

Gertjan

Do you have any rules on WAN ?
Any NAT rules ?

nafeasonto

@Gertjan said in How do I test if something is being blocked, or find out what teh firewall is actually blocking on incoming connections?:

Do you have any rules on WAN ?
Any NAT rules ?

Are you looking for any specific rules? I have lots of rules on WAN, LAN, and NAT side.

JKnott

@nafeasonto said in How do I test if something is being blocked, or find out what teh firewall is actually blocking on incoming connections?:

Is there way to see if the firewall itself is blocking it, or the ISP?

Well, there are port scans. A public one is www.grc.com. You can also run nmap, both locally against pfSense and then from elsewhere, to see if there's any difference.

johnpoz

@nafeasonto said in How do I test if something is being blocked, or find out what teh firewall is actually blocking on incoming connections?:

it's direct connection between the two players, there is no back end server.

Well then you would have the ports need port forwarded on your end... How do you do this - manually or do you allow UPnP to do it..

Connecting to them would have zero to do with pfsense out of the box because its default lan rules are any any outbound.. Simple sniff show you that pfsense is sending syn to their IP, etc.

You still haven't listed any logs show anything blocked, nor have you even stated if these connections are ipv4 or ipv6.

You haven't posted your rules, etc. So there is zero info here to to work with to help you figure out what your problem is.

For all we know the guy(s) you were trying to connect to were the problem. Or your isp talking to those IPs was an issue, etc. etc.