Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Only Some of my Port Forwards work ?

    Scheduled Pinned Locked Moved Firewalling
    43 Posts 3 Posters 6.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • NogBadTheBadN
      NogBadTheBad @Cire3
      last edited by NogBadTheBad

      @cire3 I'd check with the supplier again, you've got to and - in your first post, is that a range or is it convert one port to another.

      A packet capture using the phones IP address would show you whats hiting the firewall.

      Andy

      1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

      C 1 Reply Last reply Reply Quote 0
      • C
        Cire3 @NogBadTheBad
        last edited by Cire3

        @nogbadthebad Directions.PNG

        This was the direction I was given. Some ports convert, while one is a range

        Ports Working :

        44443 Convert to 443 Forward to 10.10.1.25 Status: : Open
        24493 Convert to 2728 Forward to 10.10.1.25 Status : Open

        Port Not Working :

        16000 Through 16511 Forward to 10.10.1.26 Status : Closed
        9300 Forward to 10.10.1.25 Status : Closed

        NogBadTheBadN 1 Reply Last reply Reply Quote 0
        • NogBadTheBadN
          NogBadTheBad @Cire3
          last edited by NogBadTheBad

          @cire3 Well your packet capture shows port 9300 TCP not UDP as per their info.

          15:25:00.282522 IP 198.199.98.246.50719 > 198.0.115.21.9300: tcp 0
          15:25:01.278833 IP 198.199.98.246.50719 > 198.0.115.21.9300: tcp 0
          15:25:01.283582 IP 198.199.98.246.50724 > 198.0.115.21.9300: tcp 0
          15:25:02.282636 IP 198.199.98.246.50724 > 198.0.115.21.9300: tcp 0
          15:25:02.284759 IP 198.199.98.246.50731 > 198.0.115.21.9300: tcp 0
          15:25:03.282818 IP 198.199.98.246.50731 > 198.0.115.21.9300: tcp 0
          15:25:56.035819 IP 198.199.98.246.50880 > 198.0.115.21.9300: tcp 0
          15:25:57.034127 IP 198.199.98.246.50880 > 198.0.115.21.9300: tcp 0
          15:25:57.036750 IP 198.199.98.246.50883 > 198.0.115.21.9300: tcp 0
          15:25:58.034059 IP 198.199.98.246.50883 > 198.0.115.21.9300: tcp 0
          15:25:58.038290 IP 198.199.98.246.50889 > 198.0.115.21.9300: tcp 0
          15:25:59.038237 IP 198.199.98.246.50889 > 198.0.115.21.9300: tcp 0
          15:26:00.276783 IP 198.199.98.246.50895 > 198.0.115.21.9300: tcp 0
          15:26:01.274091 IP 198.199.98.246.50895 > 198.0.115.21.9300: tcp 0
          15:26:01.277837 IP 198.199.98.246.50897 > 198.0.115.21.9300: tcp 0
          15:26:02.273897 IP 198.199.98.246.50897 > 198.0.115.21.9300: tcp 0
          15:26:02.278893 IP 198.199.98.246.50899 > 198.0.115.21.9300: tcp 0
          15:26:03.277951 IP 198.199.98.246.50899 > 198.0.115.21.9300: tcp 0

          Andy

          1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

          C 1 Reply Last reply Reply Quote 0
          • C
            Cire3 @NogBadTheBad
            last edited by

            @nogbadthebad Just changed that a bit ago as I was testing both ways. Set to UDP per instructions. Just trying to find if the information I have is accurate.

            Will it show open even if there is not a device on that IP ? Just a curious thing more than anything. Is PFSense rejecting it, or is the device not accepting it was my wonder

            C 1 Reply Last reply Reply Quote 0
            • C
              Cire3 @Cire3
              last edited by

              Hitting WAN.PNG

              This is in States from me using portchecker.co

              C 1 Reply Last reply Reply Quote 0
              • C
                Cire3 @Cire3
                last edited by

                @cire3 Wait a second. Does portchecker.co use TCP ? If so, h
                ow do I check UDP ?

                C 1 Reply Last reply Reply Quote 0
                • C
                  Cire3 @Cire3
                  last edited by

                  @cire3 Just used https://www.ipvoid.com/udp-port-scan/

                  9300 UDP Open.PNG

                  johnpozJ NogBadTheBadN 2 Replies Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @Cire3
                    last edited by

                    UDP is pretty difficult to get clear picture of open or not, unless something actually answers.. It can fairly often show in accurate results.

                    If your sending UDP traffic - best to do is sniff on your pfsense wan while you send that traffic, etc.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • NogBadTheBadN
                      NogBadTheBad @Cire3
                      last edited by

                      @cire3 You have quite a few ports open, your pfSense GUI is open to the internet.

                      Nice purple background.

                      Andy

                      1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                      johnpozJ 1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator @NogBadTheBad
                        last edited by johnpoz

                        Yeah your top rule that says ping is ANY to tcp... Pretty bad rule!

                        bad.png

                        This would be a proper rule to allow ping to your pfsense wan address

                        allowpingwan.png

                        You would want to use the alias - in case your wan IP changes at some point in the future.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        C 1 Reply Last reply Reply Quote 0
                        • C
                          Cire3 @johnpoz
                          last edited by Cire3

                          @johnpoz

                          fixed imcp.PNG

                          Rule removed, and thanks !

                          I believe I was trying to allow ping on WAN.

                          So do I have any way to determine my ports are working as they should ?

                          I have no clue if this device is even setup correct and I'm just beating my head against the wall for nothing ?

                          johnpozJ 1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator @Cire3
                            last edited by johnpoz

                            Well if the device uses 9300 UDP.. And you can send UDP on 9300 from outside your network.. Way to validate even if the device is not working on 9300 is sniff.

                            Sniff on your wan - do you see the 9300 UDP being send to pfsense. Good!

                            Sniff on the lan side interface where this IP your trying to forward sits.. Do you see the 9300 being sent on to this IP? If so good - pfsense is now out of the picture and doing what you told it to do.. If still not working something else going on, wrong IP your sending too, not listening on 9300 udp like you thought. Service not even running on this server, Firewall on this device, etc.

                            edit: example using that site linked too

                            Setup a port forward to one of my my machines 9300. Not listening on 9300 for anything.

                            forward.png

                            But I can tell working because I see it sent on to my machine on 9300, even though the machine didn't answer

                            test.png

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            NogBadTheBadN 1 Reply Last reply Reply Quote 1
                            • NogBadTheBadN
                              NogBadTheBad @johnpoz
                              last edited by

                              If you have a mac on the internet ncat might help:-

                              andy@mac-pro ~ % ncat -z -n -v -u 198.0.115.21 9300
                              Ncat: Version 7.91 ( https://nmap.org/ncat )
                              Ncat: Connected to 198.0.115.21:9300.
                              Ncat: UDP packet sent successfully
                              Ncat: 1 bytes sent, 0 bytes received in 2.00 seconds.
                              andy@mac-pro ~ %

                              Andy

                              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                              C 1 Reply Last reply Reply Quote 1
                              • C
                                Cire3 @NogBadTheBad
                                last edited by

                                @nogbadthebad Sorry, no Mac on site to take over :(

                                Ok, so packet capture LAN and this is what I have

                                Port 9300 :

                                11:57:55.826423 IP 212.129.21.56.36032 > 10.10.1.25.9300: UDP, length 0
                                11:57:55.827646 IP 10.10.1.25.9300 > 212.129.21.56.36032: UDP, length 14
                                11:57:55.839031 IP 185.209.161.169.38480 > 10.10.1.25.9300: UDP, length 0

                                I'm calling this good as it's hitting 10.10.1.25 Correct ?

                                Port : 24493 Coverts to 2728

                                12:01:32.723636 IP 88.119.179.10.43438 > 10.10.1.25.2728: tcp 0
                                12:01:32.736754 IP 185.86.77.126.58520 > 10.10.1.25.2728: tcp 0
                                12:01:32.738876 IP 185.83.213.25.55756 > 10.10.1.25.2728: tcp 0

                                So I see it on LAN hitting 10.10.1.25

                                Port : 44443 Converts to 443 And works as it should (We can access GUI)

                                So all I have left is port range.

                                Port 16000 Through 16511 UDP

                                I used Port 16000 for testing

                                12:06:02.006380 IP 185.83.213.25.49331 > 10.10.1.26.16000: UDP, length 0
                                12:06:02.011625 IP 88.119.179.10.52783 > 10.10.1.26.16000: UDP, length 0
                                12:06:02.016003 IP 185.86.77.126.41816 > 10.10.1.26.16000: UDP, length 0
                                12:06:02.018484 IP 185.159.82.88.52425 > 10.10.1.26.16000: UDP, length 0

                                Am I correct this is a win and PFSense is doing as it should ?

                                C NogBadTheBadN 2 Replies Last reply Reply Quote 0
                                • C
                                  Cire3 @Cire3
                                  last edited by

                                  @cire3 Using this site as it allows more protocols

                                  https://check-host.net/

                                  C 1 Reply Last reply Reply Quote 0
                                  • C
                                    Cire3 @Cire3
                                    last edited by

                                    @cire3 Quick question.

                                    Any way to quickly put 10.10.1.25 and 10.10.1.26 in a DMZ for a quick test ?

                                    All the DMZ I seen isolate and use different adapters as I understand why. Didn't know if there was a easy way just to test a device passing through the firewall?

                                    1 Reply Last reply Reply Quote 0
                                    • NogBadTheBadN
                                      NogBadTheBad @Cire3
                                      last edited by

                                      @cire3 said in Only Some of my Port Forwards work ?:

                                      @nogbadthebad Sorry, no Mac on site to take over :(

                                      Actually just realised ncat comes with Nmap.

                                      https://nmap.org/

                                      Tests look good to me.

                                      I'd start tightening up the source rules to the two hosts mentioned in their email once your happy.

                                      Andy

                                      1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                                      C 1 Reply Last reply Reply Quote 0
                                      • C
                                        Cire3 @NogBadTheBad
                                        last edited by

                                        @nogbadthebad Just downloaded it and going to check it out, didn't know about the Windows Version :)

                                        This is what I have (Does being on a VPN change it ?

                                        nmap1.PNG

                                        nmap2.PNG

                                        Should this scan show the other ports ?

                                        Scanning 10.10.1.25 [1000 ports]

                                        Discovered open port 143/tcp on 10.10.1.25

                                        Discovered open port 443/tcp on 10.10.1.25

                                        Discovered open port 25/tcp on 10.10.1.25

                                        Discovered open port 80/tcp on 10.10.1.25

                                        Discovered open port 20000/tcp on 10.10.1.25

                                        Should I see the others ?

                                        I also think I owe you two a beer for sure !

                                        NogBadTheBadN 1 Reply Last reply Reply Quote 0
                                        • NogBadTheBadN
                                          NogBadTheBad @Cire3
                                          last edited by

                                          @cire3 said in Only Some of my Port Forwards work ?:

                                          @nogbadthebad Just downloaded it and going to check it out, didn't know about the Windows Version :)

                                          This is what I have (Does being on a VPN change it ?

                                          I'd run the test when disconnected from the VPN and try to establish what you were told by port forward ties up.

                                          Andy

                                          1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                                          1 Reply Last reply Reply Quote 1
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.