Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Checking for open ports ?

    Scheduled Pinned Locked Moved General pfSense Questions
    19 Posts 7 Posters 1.5k Views 8 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • chudakC Offline
      chudak @mcury
      last edited by

      @mcury
      I see what you mean, thank you !

      What do you use to check UDP ports ?

      1 Reply Last reply Reply Quote 0
      • M Offline
        mcury Rebel Alliance
        last edited by mcury

        What I use? I don't use, I know exactly what my firewall rules are, also, I check my firewall logs in case something is not working.
        In case I need to troubleshoot further, capturing packets is my way to go..

        dead on arrival, nowhere to be found.

        1 Reply Last reply Reply Quote 1
        • GertjanG Offline
          Gertjan
          last edited by

          Another way to you : have your OpenVPN WAN pass firewall rule to log.
          Re do the test.

          You see firewall log results : you know the test traffic coming into your WAN.
          You see nothing : it did not reach the interface and the OpenVPN service for that matter.

          => Now focus on the upstream (ISP) router (from your ISP) : remove any NAT and firewall rules.
          What do you see now ?

          Now, switch OpenVPN UDP to TCP. Redo the test.
          Now you will see firewall logs lines. And probably the OpenVPN serviece logging that it found illegal connections attempts.
          Etc.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          1 Reply Last reply Reply Quote 0
          • chudakC Offline
            chudak
            last edited by

            I really wanted to check it from the external server.
            The way that seems to work is:

            nc -zvw10 <server> -t <port> - for TCP
            nc -zvw10 <server> -u <port> - for UPD

            PS: I did not realize that usually by default UPD ports don't get tested

            Thank you !

            1 Reply Last reply Reply Quote 0
            • M Offline
              Modesty
              last edited by

              I use Advance port scanner. there is an UDP option, ref screenshot

              b5966995-cec5-4cc4-adfa-83ad1550bb3c-image.png

              Everything can be rebuilt!

              chudakC 1 Reply Last reply Reply Quote 0
              • chudakC Offline
                chudak @Modesty
                last edited by

                @Modesty said in Checking for open ports ?:

                Advance port scanner

                Is it a Windows thing or also for Linux ?

                M 1 Reply Last reply Reply Quote 0
                • M Offline
                  Modesty @chudak
                  last edited by

                  @chudak windows

                  Everything can be rebuilt!

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S Offline
                    stephenw10 Netgate Administrator
                    last edited by

                    If you test remotely you will only see a UDP port as 'open' if what you're testing against chooses to send a reply. Most things won't unless you send the right thing.

                    Steve

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ Offline
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      ^ exactly, 1194 is the default UDP openvpn port.. .Unless your sending vpn traffic your not going to get an answer, so how would outside testing know that its open?

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      chudakC 1 Reply Last reply Reply Quote 0
                      • chudakC Offline
                        chudak @johnpoz
                        last edited by

                        @johnpoz

                        I am sending vpn traffic

                        nc -zvw10 <SERVER> 2194
                        Connection to <SERVER> 2194 port [tcp/*] succeeded!
                        yuriw@vmss:~$ nc -zvw10 <SERVER> -u 1194
                        Connection to <SERVER> 1194 port [udp/openvpn] succeeded!

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S Offline
                          stephenw10 Netgate Administrator
                          last edited by

                          You are not actually testing anything there.

                          steve@steve-MMLP7AP-00 ~ $ nc -zvw10 11.11.11.1 -u 1111
                          Connection to 11.11.11.1 1111 port [udp/*] succeeded!
                          

                          Steve

                          chudakC 1 Reply Last reply Reply Quote 0
                          • chudakC Offline
                            chudak @stephenw10
                            last edited by

                            @stephenw10

                            How do you test then ?

                            1 Reply Last reply Reply Quote 0
                            • stephenw10S Offline
                              stephenw10 Netgate Administrator
                              last edited by stephenw10

                              You can't with UDP unless you know what you're testing against will respond.

                              You need to test from both ends so you can see the packets come in and whether they are opening states.

                              Steve

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ Offline
                                johnpoz LAYER 8 Global Moderator
                                last edited by

                                Testing to openvpn is hard, especially if you have set for auth on your tls key - since it won't answer anything at all unless tls key matches..

                                And yup UDP is hard to test as well.. Because there is no handshake..

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                1 Reply Last reply Reply Quote 0
                                • DerelictD Offline
                                  Derelict LAYER 8 Netgate
                                  last edited by

                                  Packet captures generally don't lie.

                                  Chattanooga, Tennessee, USA
                                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.