Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Checking for open ports ?

    Scheduled Pinned Locked Moved General pfSense Questions
    19 Posts 7 Posters 1.5k Views 8 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • chudakC Offline
      chudak
      last edited by

      Hello all

      I was wondering about this for awhile...

      Using https://www.yougetsignal.com/tools/open-ports/ for open ports.

      I have two OpenVPN servers running, one on port 1194 and another on 3194

      Both work fine.

      When I check for open ports, 1194 is always shows closed, even tho it work and 3194 shows correctly open.

      Anybody has an explanation on why 1194 shows closed ?

      Thx
      YuriW

      1 Reply Last reply Reply Quote 0
      • M Offline
        mcury Rebel Alliance
        last edited by

        openvpn defaults port to UDP.

        dead on arrival, nowhere to be found.

        chudakC 1 Reply Last reply Reply Quote 0
        • chudakC Offline
          chudak @mcury
          last edited by

          @mcury I understand, but why is it reports closed?

          1 Reply Last reply Reply Quote 0
          • M Offline
            mcury Rebel Alliance
            last edited by

            That site tests TCP ports, not UDP.
            UDP and TCP are very different from each other.
            TCP has ACK packets confirming that a packet was received, there is a three way handshake to establish a connection and other mechanisms, like as retransmissions and such.
            UDP works very differently, its kind of send and don't care if you are not receiving or dropping packets.

            That specific site, tests TCP connectivity.

            dead on arrival, nowhere to be found.

            chudakC 1 Reply Last reply Reply Quote 0
            • chudakC Offline
              chudak @mcury
              last edited by

              @mcury
              I see what you mean, thank you !

              What do you use to check UDP ports ?

              1 Reply Last reply Reply Quote 0
              • M Offline
                mcury Rebel Alliance
                last edited by mcury

                What I use? I don't use, I know exactly what my firewall rules are, also, I check my firewall logs in case something is not working.
                In case I need to troubleshoot further, capturing packets is my way to go..

                dead on arrival, nowhere to be found.

                1 Reply Last reply Reply Quote 1
                • GertjanG Offline
                  Gertjan
                  last edited by

                  Another way to you : have your OpenVPN WAN pass firewall rule to log.
                  Re do the test.

                  You see firewall log results : you know the test traffic coming into your WAN.
                  You see nothing : it did not reach the interface and the OpenVPN service for that matter.

                  => Now focus on the upstream (ISP) router (from your ISP) : remove any NAT and firewall rules.
                  What do you see now ?

                  Now, switch OpenVPN UDP to TCP. Redo the test.
                  Now you will see firewall logs lines. And probably the OpenVPN serviece logging that it found illegal connections attempts.
                  Etc.

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  1 Reply Last reply Reply Quote 0
                  • chudakC Offline
                    chudak
                    last edited by

                    I really wanted to check it from the external server.
                    The way that seems to work is:

                    nc -zvw10 <server> -t <port> - for TCP
                    nc -zvw10 <server> -u <port> - for UPD

                    PS: I did not realize that usually by default UPD ports don't get tested

                    Thank you !

                    1 Reply Last reply Reply Quote 0
                    • M Offline
                      Modesty
                      last edited by

                      I use Advance port scanner. there is an UDP option, ref screenshot

                      b5966995-cec5-4cc4-adfa-83ad1550bb3c-image.png

                      Everything can be rebuilt!

                      chudakC 1 Reply Last reply Reply Quote 0
                      • chudakC Offline
                        chudak @Modesty
                        last edited by

                        @Modesty said in Checking for open ports ?:

                        Advance port scanner

                        Is it a Windows thing or also for Linux ?

                        M 1 Reply Last reply Reply Quote 0
                        • M Offline
                          Modesty @chudak
                          last edited by

                          @chudak windows

                          Everything can be rebuilt!

                          1 Reply Last reply Reply Quote 0
                          • stephenw10S Offline
                            stephenw10 Netgate Administrator
                            last edited by

                            If you test remotely you will only see a UDP port as 'open' if what you're testing against chooses to send a reply. Most things won't unless you send the right thing.

                            Steve

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ Offline
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              ^ exactly, 1194 is the default UDP openvpn port.. .Unless your sending vpn traffic your not going to get an answer, so how would outside testing know that its open?

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              chudakC 1 Reply Last reply Reply Quote 0
                              • chudakC Offline
                                chudak @johnpoz
                                last edited by

                                @johnpoz

                                I am sending vpn traffic

                                nc -zvw10 <SERVER> 2194
                                Connection to <SERVER> 2194 port [tcp/*] succeeded!
                                yuriw@vmss:~$ nc -zvw10 <SERVER> -u 1194
                                Connection to <SERVER> 1194 port [udp/openvpn] succeeded!

                                1 Reply Last reply Reply Quote 0
                                • stephenw10S Offline
                                  stephenw10 Netgate Administrator
                                  last edited by

                                  You are not actually testing anything there.

                                  steve@steve-MMLP7AP-00 ~ $ nc -zvw10 11.11.11.1 -u 1111
                                  Connection to 11.11.11.1 1111 port [udp/*] succeeded!
                                  

                                  Steve

                                  chudakC 1 Reply Last reply Reply Quote 0
                                  • chudakC Offline
                                    chudak @stephenw10
                                    last edited by

                                    @stephenw10

                                    How do you test then ?

                                    1 Reply Last reply Reply Quote 0
                                    • stephenw10S Offline
                                      stephenw10 Netgate Administrator
                                      last edited by stephenw10

                                      You can't with UDP unless you know what you're testing against will respond.

                                      You need to test from both ends so you can see the packets come in and whether they are opening states.

                                      Steve

                                      1 Reply Last reply Reply Quote 0
                                      • johnpozJ Offline
                                        johnpoz LAYER 8 Global Moderator
                                        last edited by

                                        Testing to openvpn is hard, especially if you have set for auth on your tls key - since it won't answer anything at all unless tls key matches..

                                        And yup UDP is hard to test as well.. Because there is no handshake..

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                                        1 Reply Last reply Reply Quote 0
                                        • DerelictD Offline
                                          Derelict LAYER 8 Netgate
                                          last edited by

                                          Packet captures generally don't lie.

                                          Chattanooga, Tennessee, USA
                                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.