Port forward to UDP 10000 is NOT working
-
Hi,
I have got a weird situation - I have done everything that needs to be done but "port forward to UDP 10000 is not working". Obviously I am messing up something somewhere, but the frustrating thing is:
I have 2 environments (Test and Prod) and when everything worked in Test, I decided to move on Prod but got stuck with this issue for 2 weeks now.
Just so you know, I am trying to install/use Jitsi which is an opensource video conf and they need port 10000/UDP to be open/forwarded. I have checked, rechecked and rechecked at least 100 times, but configurations (Test and Prod) are exactly same including the firewall port (ufw) on the server (I have separate Test and Prod Server as well)
To test port forward/open is working, Jitsi folks asked me to run following commands:
sudo service jitsi-videobridge2 stop
nc -l 10000 -uAnd then from another machine (should have Internet access):
echo "123" | nc -u my.public.ip.address 10000This should display 123 on the first machine.
This is working on Test Server... and I get 123 on Test Server... however, when I run the same sequence of commands on Prod and echo it from Test Server - I don't get anything.
The irritating thing is: I did get the response a few weeks back but I have no idea what all I have changed since then and now it is not working.
Any idea, any suggestion, what I might be doing wrong. This is now on the critical path for me as this is now impacting production server/services.
So any help would be highly appreciated.
Many Thanks,
Rav -
Without showing your NAT and Rule entries, no one can but guess, what is going on in your setup! So please add some information and screens to your post :)
We are running multiple Jitsi and Jitsi Dev installations ourselves and have no problem forwarding necessary ports at all so it has to be something with your ruleset or configuration.
-
Thanks for getting back to me @JeGr and I completely agree with you for the lack of screenshot.
So here we go (Blue one is Test Config and Red is Prod.)
Hope this helps.
As usual, any help will be highly appreciated.
Many Thanks,
Rav -
Any idea, what I am doing wrong?
Any hint or help to check/ensure port 10000 (UDP) is actually open or port forwarded, will be highly appreciated.
Many Thanks,
Rav -
Troubleshooting nat should take you all of 2 minutes tops...
Its really simple.. Does the traffic hit your wan IP? Sniff - do you see traffic hit your wan IP on port 10k? If you don't its not pfsense.
If it does - then sniff on the interface your trying to send it to.. say your lan.. Do you see pfsense send the traffic on 10k? If so then its not pfsense.
Example - I don't even have anything running on 192.168.9.100 on 10k, but I will setup a port forward rule..
You need to test from a location online - say https://www.ipvoid.com/udp-port-scan/
So created a port forward for 10k..
Now sniffing on wan for port 10k, and then sending traffic to 10k..
My wan sees it
Now sniffing on my lan where this 192.168.9.100 device sits.. Sending traffic again..
Pfsense did exactly what you told it to do.. It sent the traffic on to the client - if the client is not listening, or does not answer there is nothing pfsense can do about it.. If the traffic never hits your pfsense wan - pfsense can not send it on.. If you spend more than 2 minutes trying to figure out what step you missed or where the problem is with port forwarding..To be honest you shoudln't be doing port forwarding because you do not understand it at a basic level and your just clicking shit hoping something works.
/rant.. Sorry been drinking with buddies via virtual happy hour.. But its like every other hour we see the same exact thing about port forwarding.. Where everything you need to try and figure it out is right here
https://docs.netgate.com/pfsense/en/latest/book/nat/troubleshooting.html -
Generally, I get angry with such posts, but this one brought a smile on my face - great sense of humour. :-)
You are right, when you know your stuff, it is a 2 min job but when you don't even 2 weeks is less (as in my case). I always thought networking is not my cup of tea as my core strength is Sys Admin, but then I was able to do a lot of stuff and got 2 environments up and running pretty well which gave me a false hope that I can do this sh!t... but clearly I am still not there - not yet.
I have been drinking as well and so I don't think this is the right time to touch the Prod environment, so I will give it a go tomorrow morning.
However, just so you know I tried packet capturing but I was unable to open the output file, it asks for some weird file type association and I am not able to open it at all. But never mind, I will try it again and report back to you SIR. Need to go back to my drinks - it's not nice to keep someone waiting... :-)
Thanks for getting back to me and give some pointers - appreciate it mate.
Thx: Rav
-
@raviktiwari said in Port forward to UDP 10000 is NOT working:
I have been drinking as well and so I don't think this is the right time to touch the Prod environment, so I will give it a go tomorrow morning.
That's a prerequisite in my shop... :)
But seriously.. pfsense port forwarding works just fine and is fairly easy to implement. So when someone comes along everyone here will and should get very matter of factly arrogant and corrective.. (to a point). There is no- it doesn't work on my implementation even if it does on every body else's. That said..
Remember-- Specifically WIndows but maybe others.. built in firewalls treat any "out of subnet address" as "public" and will block anything incoming. Yes if 192.168.2.1 is not in your subnet then it is public and untrusted. even if you think that firewall is off it is often not.
/diag_packet_capture.php is your friend.. Get to know it well. :)
-
Alright then, @chpalmer provoked me and I took a peek on Production systems....
ipvoid shows all good on WAN port... so WAN port is listening and pfsense is doing what it has been asked to do (PFA the SS).
However, when I go to packet capture (WAN or LAN), I am unable to see any details in the box below and download has a .cap extension, which I am not sure how to open - does not open in notepad. PFA the SS for that as well.
I am trying to install Wireshark assuming the downloaded files can be viewed in wireshark... but any idea how I can get the captured data displayed in the box below?
Thx: Rav
-
It should show up easily in the box below.
Im using GRC.com to try some connections inbound and doing a packet capture but that resource stops at 1055. But my screen capture will show you what to expect.
-
But it's not... I think I might have some browser issue... some extension, java whatever (despite the fact that I even changed browser).
I am saying this because I know my test server along with test pfsense has UDP port 10K working... so I just tried capturing traffic for that.... but I can't see anything.
Do I need to leave the capturing on for few mins, like 2-5 mins before I can actually see any captured packets?
Thx: Rav
-
If you see nothing I would bet your ISP is blocking that port.
-
How is that possible?
Just tried port 80 as well as 443 (TCP) and we all know it IS working, so why there is nothing for these port in the box below - as you can see it (in your ss).
Do I need to capture traffic from another Ip address.. as in my public IP is: 1.2.3.4 and both me and my server is connected to this same issue (via different interface at pfsenses) so can I do packet capture from this laptop or should I use another laptop whose public ip is: 5.6.7.8?
Many Thx: Rav
Many Thanks,
Rav -
Assuming your IP address is indeed public.. Not 100.xx.xx.xx or any of the others... Your ISP can block stuff. Especially if you are a residential customer.. Look at your TOS. They probably say no servers.
Don't feel shy to ask them.
-
Yes I truly have a public IP: 62...* and this is a commercial ISP. When I signed the contract I gave them MY ToS saying I will be hosting servers. They even support me with my issues, for example in changing my reverse DNS and so on.
Reason I am arguing is that when I give command on Test Server:
nc -l 10000 -uAnd then from Prod machine (should have Internet access):
echo "123" | nc -u my.public.ip.address 10000I do get "123" displayed on my test server... so that means I can forward the port and it is working, listening and displaying everything.
So why it is not working only in pfsense packet capture box? And worst-case scenario, what will ISP block? A port right? Even if they block UDP port 10K, they cannot block port 80 and 443 on TCP... but I cannot see anything even for those ports?
Many Thanks,
Rav -
Well.. commercial so you should be open.
Ive never had issues with the packet capture page on both Fireflop and Chrome.. But that is the limit of my testing..
-
@raviktiwari
are you trying from a network behind the router itself? if yes do you have some form of NAT reflection enabled?
system > advanced ? firewall & nat > Network Address Translation section. -
@raviktiwari
All comes down to the way you define your rules: The wildcard to wildcard (all to all) rules should go into the floating rules as they should be applied to every network in your domain...Hope it helps
-
A part of the test pfSense :
The "10000" rule send over 1.16 Giga bytes.
The second rule shows a whopping 3 Gb being handled by this rule.All this traffic didn't made it into the "Jitsi" process, or it was on the LAN .... probably it hit the "wall" between it ; the OS firewall of the "Jitsi" server.
Byw : I'm not sure, but this does not look "ok" to me :
You have two identical rules that have a port "10000" as a source address..
What about change the range for the second rule : 10001 - 20000 ? -
Thanks everyone... I don't know how and why ut it seems to be working... trust me, I did not make any changes other than the testing that @johnpoz and @chpalmer asked me to do yesterday... yes, I did restart the server as there were some bionic security and kernel upgrade that was pushed on the server and a restart was needed at the end of the update.
I am going to take a backup of the configuration and keep it safe somewhere as this configuration issue has troubled be quite a few times and for a long time. So Thanks to everyone once again.
However, the other issue, which actually delayed the troubleshooting of this issue (Unable to see the packet capture in the box below) is still something that I would like to get resolved.
Many Thanks,
Rav -
Hi @taz3146
Yes I am trying from a network behind the router itself?I checked system > advanced ? firewall & nat > Network Address Translation section and it was set to disabled, because I thought I will never need it. However, I have now changed it to: Nat+proxy.
And I am still unable to see any packet captured details in the box below.
P.S: UDP port 10K has already started working without making this NAT reflection changes. Do you still want me to make this change - I mean for the data capture box to display me the content?@Gertjan, that is in the plan, I wanted to get 10K work first and then change the other one from 10K1-20K now that it is working, I plan to make that changes.
Thanks for your time, help and support.
Thx: Rav
