Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Stupid port forwarding question

    Scheduled Pinned Locked Moved General pfSense Questions
    22 Posts 2 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      MikeDPitt
      last edited by

      I have been having quite a bit of trouble doing something as simple as a port forward for some reason. I've done it before with success, but I am trying to forward port 4040, for a subsonic docker running on an unraid server with an internal LAN IP of 192.168.1.6.

      What am I doing wrong?
      Capture1.PNG
      Capture1.PNG_thumb

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        is your plex one working?  What do your wan rules look like if your using pfblock you might have some rules blocking the access?

        Forwards are really just click click - if your having issues go through the troubleshooting doc it will help you find what you have wrong.  99% its going to be PEBKAC the other 1% is your isp is blocking the traffic and its never getting to you in the first place ;)

        https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

        Why are you running old version of pfsense?  That interface is clearly not from current.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • M
          MikeDPitt
          last edited by

          Yes, the Plex one works. This is PF version 2.2.3. If PFBlocker lets me go through from my phone to connect to Plex, it isn't blocking my IP then correct? Which other places can I check for problems? Also, my ISP does not block any ports whatsoever.

          Thank you so much again, something this simple and it's driving me crazy.

          Capture.PNG
          Capture.PNG_thumb

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            well you do have a pfb rule in there blocking shit.. It could be blocking??  But your saying you can access 32400 from same IP but can not access the 4040?

            You sure there is no firewall where your running.. Your sure its actually listening on 4040?  So can you access it from your 192.168.1 network when you go to http://192.168.1.6:4040 ?

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • M
              MikeDPitt
              last edited by

              Yes, I can access it from my LAN at 4040 from any device.  Also yes I can use my DDNS address from my phone internet and hit plex from my phone at https://my.ddns.address:32400/web/index.html. What I was asking is, since pfBlocker blocks by IP, and I can hit plex from my phone, then it's not blocking my phone's IP right?

              Capture.PNG
              Capture.PNG_thumb

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                yeah if you can get to 32400 via your phone, then no pfb is not blocking its ip..  You SURE your not on your wifi or something via your phone and hitting that via nat reflection or something..

                Your wifi is off and your on cell data when you access it from the outside..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • M
                  MikeDPitt
                  last edited by

                  positive, even just had someone else test for me from their office.

                  1 Reply Last reply Reply Quote 0
                  • M
                    MikeDPitt
                    last edited by

                    Doing an online nmap of my ddns address at 32400, 1194, finds it open, 4040 and 4050, it says, are closed. I just don't get it.

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      did you apply the port forward?  You sure the packets are getting to you.. Its possible your isp blocks them.  As per the troubleshooting guide sniff on pfsense wan.. Try and access it from outside, do you see the access.  canyouseeme.org is great for this..

                      You could try doing the port forward again.  Its possible the rules didn't get applied.. You forget to click apply, etc..

                      edit: offices are HORRIBLE testing.. Most companies if of any size block outbound on oddball ports, go through a proxy etc..

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • M
                        MikeDPitt
                        last edited by

                        I don't know if this also helps, but I've done port forwarding for quite a few scenarios but for this particular one just won't work whatever I try. Nothing is firewalled from this guy's office, and I can't see it in canyouseeme or doing an online nmap for that port. It's not my ISP, I've even tried doing it on 80 and it won't work it's driving me crazy.

                        Capture.PNG
                        Capture.PNG_thumb
                        Capture1.PNG
                        Capture1.PNG_thumb

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          Again per the troubleshooting doc.. Sniff - do you see the packets hit your wan.. if so sniff on lan - do you see the packets sent to your server 192.168.1.6 address?

                          Ok, I just installed it on a unbuntu vm I have at the house..  Grabbed

                          root@ubuntu:/tmp# wget http://madsonic.org/download/5.1/20150831_madsonic-5.1.5260.deb

                          installed jre

                          Setting up madsonic (5260) …
                          Adding system startup for /etc/init.d/madsonic ...
                            /etc/rc0.d/K99madsonic -> ../init.d/madsonic
                            /etc/rc1.d/K99madsonic -> ../init.d/madsonic
                            /etc/rc6.d/K99madsonic -> ../init.d/madsonic
                            /etc/rc2.d/S99madsonic -> ../init.d/madsonic
                            /etc/rc3.d/S99madsonic -> ../init.d/madsonic
                            /etc/rc4.d/S99madsonic -> ../init.d/madsonic
                            /etc/rc5.d/S99madsonic -> ../init.d/madsonic
                          Started Madsonic [PID 5547, /var/madsonic/madsonic_sh.log]
                          root@ubuntu:/tmp#

                          hit up 192.168.9.7:4040 the box installed it too and see the webpage.. Then created port forward for 4040 tcp to 192.168.9.7 and bing bang zoom can get to it from the outside.. Total time like 1 minute from time of wget and hitting it from the outside..

                          So I would validate traffic is even getting to your public IP..  You sure your not behind a nat, and you had forwarded your 32400 on the nat device infront of your pfsense before hand?

                          madsonic.jpg
                          madsonic.jpg_thumb
                          canyouseeme.jpg
                          canyouseeme.jpg_thumb

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            oh dude - well this is wrong!!  That needs to be set to wan address.

                            I don't know how your 32400 is working with that.. dest needs to be set to wan address!!  Should of spotted that right off the gate..

                            thisiswrong.jpg
                            thisiswrong.jpg_thumb

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • M
                              MikeDPitt
                              last edited by

                              How does plex work then?  :o  I had tried with WAN address, destroying the rule, then using Any. Nothing seems to work and it makes absolutely no sense why this isn't working to me. I have enabled logging on that rule and see nothing for this traffic. It doesn't make any sense that an ISP would block both 4040 and 8080 and allow literally any other port I can think of. I guess sniffing to see where this traffic stopping in the first place would be my only way to handle it. I do have an ISP router, that was supposedly supposed to be able to be put into bridge mode, but the ISP DHCP server would randomly boot me and no one from tech support could tell me any reason why. What I ended up doing is giving the pfsense device it's own static IP on the ISP device's 192.168.0.* LAN and making one giant all encompassing rule that forwards all traffic on any protocol or port to the pfsense box and I've never had a problem with anything but this ever since.

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator
                                last edited by

                                you mean you put pfsense in dmz host of your isp router?  Or you created some forward for all ports in a range?

                                All kinds of weird stuff can happen behind a double nat.. So for example with napt which is what your isp router is doing and pfsense is doing you could have something else using the port.

                                So lets say you make a connection to something on internet from your machine 192.168.1.100:1490 – 1.2.3.4:80, pfsense would nat that to 192.168.0.x:somethingelse as source maybe 41140 or something.  Then your isp router would change it again to your public IP:4040 -- 1.2.3.4:80 maybe you got unlucky there?

                                If saying your logging the rule and you see no hits points to pfsense not ever seeing the traffic, if it never sees the traffic it for sure can not foruard it.

                                Creating a rule that forwards say 1024-65k is going to have issues.  What does that router do for its source ports for traffic it needs to send out that you created from behind it?  The more nats you have the more likely you are to run into some issue.  It is always best to only have 1 nat from your private networks to the internet.

                                And I can tell you for sure that * for a dest is wrong in the pfsense forwarding setup.  It shouldn't work at all..  As the troubleshooting guide goes over - sniff to see if your seeing the traffic at pfsense wan.. If its not there nothing pfsense can do that is for sure.  Once you see it there, then validate that pfsense is sending it on via sniff and see if you get an answer.

                                As I showed you this really should be clickity clickity 1 minute tops to get up and running.

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                1 Reply Last reply Reply Quote 0
                                • M
                                  MikeDPitt
                                  last edited by

                                  Plex Works, the webserver on 8082 works, the VPN server on 1194 works… all through using my DDNS address or my actual IP. I just don't wrap my head around why this wouldn't

                                  Capture.PNG
                                  Capture.PNG_thumb

                                  1 Reply Last reply Reply Quote 0
                                  • M
                                    MikeDPitt
                                    last edited by

                                    I do have some external servers I have control of, is there a way to use tcpdump or some other CLI based tool, on that specific port and see exactly where the traffic is stopping so I can try to remedy this?

                                    1 Reply Last reply Reply Quote 0
                                    • johnpozJ
                                      johnpoz LAYER 8 Global Moderator
                                      last edited by

                                      well dude again have you done the sniff it takes 2 seconds to sniff!!

                                      Is the traffic getting to pfsense or not..

                                      edit: dude packet capture is built right into pfsense gui.. Diag, Packet Capture – Pick your interface, pick your port and hit start..  See attached.

                                      sniff4040.jpg
                                      sniff4040.jpg_thumb

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                                      1 Reply Last reply Reply Quote 0
                                      • M
                                        MikeDPitt
                                        last edited by

                                        I already said no the packets are not showing in the log enabled for that rule. I'm not lazy I'm willing to try anything I know how to do to get it fixed. I was just asking of some way of seeing where the traffic is stopping, because it is not making it to pf.

                                        1 Reply Last reply Reply Quote 0
                                        • johnpozJ
                                          johnpoz LAYER 8 Global Moderator
                                          last edited by

                                          well if its not making it to pfsense.. Is it making it to your isp router??  Does it have a packet capture option, does it show you state table.  Does it show you hits on its port forward rules?

                                          Did you try bouncing your isp router to clear up its state table if you can not flush it from its gui or view it?

                                          As to no hits on the rule doesn't actually rule out something else wrong.. I would do the sniff on pfsense to be freaking sure the packets are not getting there.. But what I can tell you from all the threads I have read and helped with port forwarding - I do not recall it ever being a pfsense issue.. Its always pebkac or traffic just not there for pfsense to forward.

                                          edit: and I have been here for quite some time ;) October 18, 2007, 07:09:13 pm is when I registered on the board.. almost 9 freaking year - wow did that go fast…

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                                          1 Reply Last reply Reply Quote 0
                                          • M
                                            MikeDPitt
                                            last edited by

                                            The ISP router is a POS and doesn't offer really options like that and I didn't think customer service at the ISP would be much more help that why before I call them I wanted to be armed with "well I can see the traffic stopping at your router". That way I could at least complain and get them to send someone out with possibly a new or better router, or something that actually goes into bridge mode and lets pfsense be the actual router. Is there some command I can execute like for instance, I can use pingplotter on windows to see even on a particular port, which exact hop that traffic is stopping. Is there something I can run from linux CLI on another server that would give me this type of info?

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.