Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Only Some of my Port Forwards work ?

    Firewalling
    3
    43
    5.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ
      johnpoz LAYER 8 Global Moderator @NogBadTheBad
      last edited by johnpoz

      Yeah your top rule that says ping is ANY to tcp... Pretty bad rule!

      bad.png

      This would be a proper rule to allow ping to your pfsense wan address

      allowpingwan.png

      You would want to use the alias - in case your wan IP changes at some point in the future.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

      C 1 Reply Last reply Reply Quote 0
      • C
        Cire3 @johnpoz
        last edited by Cire3

        @johnpoz

        fixed imcp.PNG

        Rule removed, and thanks !

        I believe I was trying to allow ping on WAN.

        So do I have any way to determine my ports are working as they should ?

        I have no clue if this device is even setup correct and I'm just beating my head against the wall for nothing ?

        johnpozJ 1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @Cire3
          last edited by johnpoz

          Well if the device uses 9300 UDP.. And you can send UDP on 9300 from outside your network.. Way to validate even if the device is not working on 9300 is sniff.

          Sniff on your wan - do you see the 9300 UDP being send to pfsense. Good!

          Sniff on the lan side interface where this IP your trying to forward sits.. Do you see the 9300 being sent on to this IP? If so good - pfsense is now out of the picture and doing what you told it to do.. If still not working something else going on, wrong IP your sending too, not listening on 9300 udp like you thought. Service not even running on this server, Firewall on this device, etc.

          edit: example using that site linked too

          Setup a port forward to one of my my machines 9300. Not listening on 9300 for anything.

          forward.png

          But I can tell working because I see it sent on to my machine on 9300, even though the machine didn't answer

          test.png

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          NogBadTheBadN 1 Reply Last reply Reply Quote 1
          • NogBadTheBadN
            NogBadTheBad @johnpoz
            last edited by

            If you have a mac on the internet ncat might help:-

            andy@mac-pro ~ % ncat -z -n -v -u 198.0.115.21 9300
            Ncat: Version 7.91 ( https://nmap.org/ncat )
            Ncat: Connected to 198.0.115.21:9300.
            Ncat: UDP packet sent successfully
            Ncat: 1 bytes sent, 0 bytes received in 2.00 seconds.
            andy@mac-pro ~ %

            Andy

            1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

            C 1 Reply Last reply Reply Quote 1
            • C
              Cire3 @NogBadTheBad
              last edited by

              @nogbadthebad Sorry, no Mac on site to take over :(

              Ok, so packet capture LAN and this is what I have

              Port 9300 :

              11:57:55.826423 IP 212.129.21.56.36032 > 10.10.1.25.9300: UDP, length 0
              11:57:55.827646 IP 10.10.1.25.9300 > 212.129.21.56.36032: UDP, length 14
              11:57:55.839031 IP 185.209.161.169.38480 > 10.10.1.25.9300: UDP, length 0

              I'm calling this good as it's hitting 10.10.1.25 Correct ?

              Port : 24493 Coverts to 2728

              12:01:32.723636 IP 88.119.179.10.43438 > 10.10.1.25.2728: tcp 0
              12:01:32.736754 IP 185.86.77.126.58520 > 10.10.1.25.2728: tcp 0
              12:01:32.738876 IP 185.83.213.25.55756 > 10.10.1.25.2728: tcp 0

              So I see it on LAN hitting 10.10.1.25

              Port : 44443 Converts to 443 And works as it should (We can access GUI)

              So all I have left is port range.

              Port 16000 Through 16511 UDP

              I used Port 16000 for testing

              12:06:02.006380 IP 185.83.213.25.49331 > 10.10.1.26.16000: UDP, length 0
              12:06:02.011625 IP 88.119.179.10.52783 > 10.10.1.26.16000: UDP, length 0
              12:06:02.016003 IP 185.86.77.126.41816 > 10.10.1.26.16000: UDP, length 0
              12:06:02.018484 IP 185.159.82.88.52425 > 10.10.1.26.16000: UDP, length 0

              Am I correct this is a win and PFSense is doing as it should ?

              C NogBadTheBadN 2 Replies Last reply Reply Quote 0
              • C
                Cire3 @Cire3
                last edited by

                @cire3 Using this site as it allows more protocols

                https://check-host.net/

                C 1 Reply Last reply Reply Quote 0
                • C
                  Cire3 @Cire3
                  last edited by

                  @cire3 Quick question.

                  Any way to quickly put 10.10.1.25 and 10.10.1.26 in a DMZ for a quick test ?

                  All the DMZ I seen isolate and use different adapters as I understand why. Didn't know if there was a easy way just to test a device passing through the firewall?

                  1 Reply Last reply Reply Quote 0
                  • NogBadTheBadN
                    NogBadTheBad @Cire3
                    last edited by

                    @cire3 said in Only Some of my Port Forwards work ?:

                    @nogbadthebad Sorry, no Mac on site to take over :(

                    Actually just realised ncat comes with Nmap.

                    https://nmap.org/

                    Tests look good to me.

                    I'd start tightening up the source rules to the two hosts mentioned in their email once your happy.

                    Andy

                    1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                    C 1 Reply Last reply Reply Quote 0
                    • C
                      Cire3 @NogBadTheBad
                      last edited by

                      @nogbadthebad Just downloaded it and going to check it out, didn't know about the Windows Version :)

                      This is what I have (Does being on a VPN change it ?

                      nmap1.PNG

                      nmap2.PNG

                      Should this scan show the other ports ?

                      Scanning 10.10.1.25 [1000 ports]

                      Discovered open port 143/tcp on 10.10.1.25

                      Discovered open port 443/tcp on 10.10.1.25

                      Discovered open port 25/tcp on 10.10.1.25

                      Discovered open port 80/tcp on 10.10.1.25

                      Discovered open port 20000/tcp on 10.10.1.25

                      Should I see the others ?

                      I also think I owe you two a beer for sure !

                      NogBadTheBadN 1 Reply Last reply Reply Quote 0
                      • NogBadTheBadN
                        NogBadTheBad @Cire3
                        last edited by

                        @cire3 said in Only Some of my Port Forwards work ?:

                        @nogbadthebad Just downloaded it and going to check it out, didn't know about the Windows Version :)

                        This is what I have (Does being on a VPN change it ?

                        I'd run the test when disconnected from the VPN and try to establish what you were told by port forward ties up.

                        Andy

                        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                        1 Reply Last reply Reply Quote 1
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.