Stupid port forwarding question



  • I have been having quite a bit of trouble doing something as simple as a port forward for some reason. I've done it before with success, but I am trying to forward port 4040, for a subsonic docker running on an unraid server with an internal LAN IP of 192.168.1.6.

    What am I doing wrong?


  • LAYER 8 Global Moderator

    is your plex one working?  What do your wan rules look like if your using pfblock you might have some rules blocking the access?

    Forwards are really just click click - if your having issues go through the troubleshooting doc it will help you find what you have wrong.  99% its going to be PEBKAC the other 1% is your isp is blocking the traffic and its never getting to you in the first place ;)

    https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

    Why are you running old version of pfsense?  That interface is clearly not from current.



  • Yes, the Plex one works. This is PF version 2.2.3. If PFBlocker lets me go through from my phone to connect to Plex, it isn't blocking my IP then correct? Which other places can I check for problems? Also, my ISP does not block any ports whatsoever.

    Thank you so much again, something this simple and it's driving me crazy.



  • LAYER 8 Global Moderator

    well you do have a pfb rule in there blocking shit.. It could be blocking??  But your saying you can access 32400 from same IP but can not access the 4040?

    You sure there is no firewall where your running.. Your sure its actually listening on 4040?  So can you access it from your 192.168.1 network when you go to http://192.168.1.6:4040 ?



  • Yes, I can access it from my LAN at 4040 from any device.  Also yes I can use my DDNS address from my phone internet and hit plex from my phone at https://my.ddns.address:32400/web/index.html. What I was asking is, since pfBlocker blocks by IP, and I can hit plex from my phone, then it's not blocking my phone's IP right?



  • LAYER 8 Global Moderator

    yeah if you can get to 32400 via your phone, then no pfb is not blocking its ip..  You SURE your not on your wifi or something via your phone and hitting that via nat reflection or something..

    Your wifi is off and your on cell data when you access it from the outside..



  • positive, even just had someone else test for me from their office.



  • Doing an online nmap of my ddns address at 32400, 1194, finds it open, 4040 and 4050, it says, are closed. I just don't get it.


  • LAYER 8 Global Moderator

    did you apply the port forward?  You sure the packets are getting to you.. Its possible your isp blocks them.  As per the troubleshooting guide sniff on pfsense wan.. Try and access it from outside, do you see the access.  canyouseeme.org is great for this..

    You could try doing the port forward again.  Its possible the rules didn't get applied.. You forget to click apply, etc..

    edit: offices are HORRIBLE testing.. Most companies if of any size block outbound on oddball ports, go through a proxy etc..



  • I don't know if this also helps, but I've done port forwarding for quite a few scenarios but for this particular one just won't work whatever I try. Nothing is firewalled from this guy's office, and I can't see it in canyouseeme or doing an online nmap for that port. It's not my ISP, I've even tried doing it on 80 and it won't work it's driving me crazy.





  • LAYER 8 Global Moderator

    Again per the troubleshooting doc.. Sniff - do you see the packets hit your wan.. if so sniff on lan - do you see the packets sent to your server 192.168.1.6 address?

    Ok, I just installed it on a unbuntu vm I have at the house..  Grabbed

    root@ubuntu:/tmp# wget http://madsonic.org/download/5.1/20150831_madsonic-5.1.5260.deb

    installed jre

    Setting up madsonic (5260) …
    Adding system startup for /etc/init.d/madsonic ...
      /etc/rc0.d/K99madsonic -> ../init.d/madsonic
      /etc/rc1.d/K99madsonic -> ../init.d/madsonic
      /etc/rc6.d/K99madsonic -> ../init.d/madsonic
      /etc/rc2.d/S99madsonic -> ../init.d/madsonic
      /etc/rc3.d/S99madsonic -> ../init.d/madsonic
      /etc/rc4.d/S99madsonic -> ../init.d/madsonic
      /etc/rc5.d/S99madsonic -> ../init.d/madsonic
    Started Madsonic [PID 5547, /var/madsonic/madsonic_sh.log]
    root@ubuntu:/tmp#

    hit up 192.168.9.7:4040 the box installed it too and see the webpage.. Then created port forward for 4040 tcp to 192.168.9.7 and bing bang zoom can get to it from the outside.. Total time like 1 minute from time of wget and hitting it from the outside..

    So I would validate traffic is even getting to your public IP..  You sure your not behind a nat, and you had forwarded your 32400 on the nat device infront of your pfsense before hand?





  • LAYER 8 Global Moderator

    oh dude - well this is wrong!!  That needs to be set to wan address.

    I don't know how your 32400 is working with that.. dest needs to be set to wan address!!  Should of spotted that right off the gate..




  • How does plex work then?  :o  I had tried with WAN address, destroying the rule, then using Any. Nothing seems to work and it makes absolutely no sense why this isn't working to me. I have enabled logging on that rule and see nothing for this traffic. It doesn't make any sense that an ISP would block both 4040 and 8080 and allow literally any other port I can think of. I guess sniffing to see where this traffic stopping in the first place would be my only way to handle it. I do have an ISP router, that was supposedly supposed to be able to be put into bridge mode, but the ISP DHCP server would randomly boot me and no one from tech support could tell me any reason why. What I ended up doing is giving the pfsense device it's own static IP on the ISP device's 192.168.0.* LAN and making one giant all encompassing rule that forwards all traffic on any protocol or port to the pfsense box and I've never had a problem with anything but this ever since.


  • LAYER 8 Global Moderator

    you mean you put pfsense in dmz host of your isp router?  Or you created some forward for all ports in a range?

    All kinds of weird stuff can happen behind a double nat.. So for example with napt which is what your isp router is doing and pfsense is doing you could have something else using the port.

    So lets say you make a connection to something on internet from your machine 192.168.1.100:1490 – 1.2.3.4:80, pfsense would nat that to 192.168.0.x:somethingelse as source maybe 41140 or something.  Then your isp router would change it again to your public IP:4040 -- 1.2.3.4:80 maybe you got unlucky there?

    If saying your logging the rule and you see no hits points to pfsense not ever seeing the traffic, if it never sees the traffic it for sure can not foruard it.

    Creating a rule that forwards say 1024-65k is going to have issues.  What does that router do for its source ports for traffic it needs to send out that you created from behind it?  The more nats you have the more likely you are to run into some issue.  It is always best to only have 1 nat from your private networks to the internet.

    And I can tell you for sure that * for a dest is wrong in the pfsense forwarding setup.  It shouldn't work at all..  As the troubleshooting guide goes over - sniff to see if your seeing the traffic at pfsense wan.. If its not there nothing pfsense can do that is for sure.  Once you see it there, then validate that pfsense is sending it on via sniff and see if you get an answer.

    As I showed you this really should be clickity clickity 1 minute tops to get up and running.



  • Plex Works, the webserver on 8082 works, the VPN server on 1194 works… all through using my DDNS address or my actual IP. I just don't wrap my head around why this wouldn't




  • I do have some external servers I have control of, is there a way to use tcpdump or some other CLI based tool, on that specific port and see exactly where the traffic is stopping so I can try to remedy this?


  • LAYER 8 Global Moderator

    well dude again have you done the sniff it takes 2 seconds to sniff!!

    Is the traffic getting to pfsense or not..

    edit: dude packet capture is built right into pfsense gui.. Diag, Packet Capture – Pick your interface, pick your port and hit start..  See attached.




  • I already said no the packets are not showing in the log enabled for that rule. I'm not lazy I'm willing to try anything I know how to do to get it fixed. I was just asking of some way of seeing where the traffic is stopping, because it is not making it to pf.


  • LAYER 8 Global Moderator

    well if its not making it to pfsense.. Is it making it to your isp router??  Does it have a packet capture option, does it show you state table.  Does it show you hits on its port forward rules?

    Did you try bouncing your isp router to clear up its state table if you can not flush it from its gui or view it?

    As to no hits on the rule doesn't actually rule out something else wrong.. I would do the sniff on pfsense to be freaking sure the packets are not getting there.. But what I can tell you from all the threads I have read and helped with port forwarding - I do not recall it ever being a pfsense issue.. Its always pebkac or traffic just not there for pfsense to forward.

    edit: and I have been here for quite some time ;) October 18, 2007, 07:09:13 pm is when I registered on the board.. almost 9 freaking year - wow did that go fast…



  • The ISP router is a POS and doesn't offer really options like that and I didn't think customer service at the ISP would be much more help that why before I call them I wanted to be armed with "well I can see the traffic stopping at your router". That way I could at least complain and get them to send someone out with possibly a new or better router, or something that actually goes into bridge mode and lets pfsense be the actual router. Is there some command I can execute like for instance, I can use pingplotter on windows to see even on a particular port, which exact hop that traffic is stopping. Is there something I can run from linux CLI on another server that would give me this type of info?


  • LAYER 8 Global Moderator

    no not really.. Your saying some traffic working.. The fact that your sniffing on pfsense and show them your forward and no traffic being seen..  And then do a test for one of your other forwards would show them for sure its their network or device.

    You could sniff at where your sending it.. do you get back an rst or get back a icmp port not open from some other IP??



  • Yes I just see the port as not open from nmap on a remote server, and from canyouseeme.org or anywhere else. Like I said I've done a bunch of port forwarding, I was just looking for some king of proof before calling to bitch at the ISP, because I didn't think the port forward was wrong, and the fact that some work and other don't all point towards it being their equipment. I was just hoping to have some pingplotter on 8080 type of deal to be able to say "here is every hop this traffic takes and stops at your device, why?" is all.


Log in to reply