New unit setup not allowing ports to be opened



  • hi all

    this is my second attempt at getting pfsense going after consumer routers keep giving up
    but no matter what i try, i cant get it to open up any ports on my firewall

    i have Wan 10.20.20.3/24 GW 10.20.20.1 and Wan2 10.10.1.27/16 GW 10.10.1.1 in failover
    and 1 Lan port 192.168.0.0/16 GW 192.168.1.1

    i am setting the rules from the nat tab on WAN and allowing rules to be created by adding associeted filter rule

    1, i have gateways set up for both wans and i have set them both as static ipv4, behind other routers where this pfsense is set to be inside DMZ
    2, i am not forwarding any ports on wangroup or wan2
    3, i have no rules set up for wangroup or wan2
    3, Disable reply-to is UNTICKED
    4, i have tried multiple different ways to add the rules and for example they are set to ANY address as that is the last thing that i tried
    5, i have more to open but these are the beginning

    EDIT… WAN1 Was behind a virginmedia superhub set to Modem only but this was then only set to DHCP, i read that the wan interface needs to have a gateway selected which was not possible due to dhcp isp
    so for this reason i have set it back up as a Router, placed pfsense in DMZ and forwaded ALL ports to the pfsense IP

    The only ports that are open are 21, 8443, 8080

    Gateways
    Name Interface Gateway Monitor IP Description Actions
    WAN2GW WAN2 10.10.1.1 10.10.1.1 Wan 2Gateway  
    WANGW (default) WAN 10.20.20.1 10.20.20.1 Wan 1Gateway

    Group Name Gateways Priority Description Actions
    gwgroup WAN2GW      Tier 2
                    WANGW        Tier 1

    Interface Groups
    Name Members Description Actions
    wangroup WAN, WAN2 wan group

    NAT
    Interface Protocol Source Address Source Ports Dest. Address Dest. Ports NAT IP NAT Ports Description Actions
    WAN UDP * * * 4500 (IPsec NAT-T) 192.168.1.17 4500 (IPsec NAT-T) xbox one 4500  
    WAN UDP * * * 3544 (Teredo) 192.168.1.17 3544 (Teredo) xbox one 3544  
    WAN UDP * * * 500 (ISAKMP) 192.168.1.17 500 (ISAKMP) xbox one 500  
    WAN TCP * * * 80 (HTTP) 192.168.1.17 80 (HTTP) xbox one 80  
    WAN TCP/UDP * * * 53 (DNS) 192.168.1.17 53 (DNS) xbox one 53  
    WAN TCP/UDP * * * 3074 192.168.1.17 3074 xbox one 3074  
    WAN UDP * * * 88 192.168.1.17 88 xbox one 88  
    WAN TCP * * WAN address 21 (FTP) 192.168.1.6 21 (FTP) attic ftp  
    WAN TCP/UDP * * WAN address 8443 192.168.1.6 8443 unifi 8443  
    WAN TCP/UDP * * WAN address 8080 192.168.1.6 8080 unifi 8080

    RULES

    Rules (Drag to Change Order)
    States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions
    0/1023 KiB

    • RFC 1918 networks * * * * * Block private networks
      0/31 KiB
    • Reserved
      Not assigned by IANA * * * * * Block bogon networks
      0/686 KiB
      IPv4 TCP/UDP * * 192.168.1.6 8080 * none NAT unifi 8080    
      0/181 KiB
      IPv4 TCP/UDP * * 192.168.1.6 8443 * none NAT unifi 8443    
      0/1 KiB
      IPv4 TCP * * 192.168.1.6 21 (FTP) * none NAT attic ftp    
      0/28 B
      IPv4 UDP * * 192.168.1.17 88 * none NAT xbox one 88    
      0/0 B
      IPv4 TCP/UDP * * 192.168.1.17 3074 * none NAT xbox one 3074    
      0/88 B
      IPv4 TCP/UDP * * 192.168.1.17 53 (DNS) * none NAT xbox one 53    
      0/88 B
      IPv4 TCP * * 192.168.1.17 80 (HTTP) * none NAT xbox one 80    
      0/220 B
      IPv4 UDP * * 192.168.1.17 500 (ISAKMP) * none NAT xbox one 500    
      0/0 B
      IPv4 UDP * * 192.168.1.17 3544 (Teredo) * none NAT xbox one 3544    
      0/28 B
      IPv4 UDP * * 192.168.1.17 4500 (IPsec NAT-T) * none NAT xbox one 4500

    my failover works fine

    Any help with this would be great !!

    thanks in advance


  • Banned

    Dude.

    • WTH you have /16 on both your WANs? So that it'd overlap and cease working?
    • What's exactly "behind other routers where this pfsense is set to be inside DMZ"? Trying to port forward something on an RFC1918 WAN behind other routers and firewalls won't be exactly productive experience, since that's not where you need to port-forward in the first place.


  • wan1 there is notning behind it other than this pfsense box

    wan2 is a connection used for wifi access to customers in a busy shop - this is why it is set to /16 because /24 wasnt giving enough leases and i just set it to this for ease
    this is just the backup so im not really bothered about the ports being forwarded on this connection


  • Banned

    @amt1989:

    wan2 is a connection used for wifi access to customers in a busy shop - this is why it is set to /16 because /24 wasnt giving enough leases and i just set it to this for ease

    ?!?! That'd be a (W)LAN, not WAN. ?!?!

    ??? ??? ???


  • Rebel Alliance Global Moderator

    "wan2 is a connection used for wifi access to customers in a busy shop"

    How is that a WAN??  So your leveraging some wifi network as pfsense backup wan connection?  Confused..  Why does a /16 on that interface have you putting a /16 on your other?

    So did you go through the port forwarding troubleshooting?
    https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

    Step 1 to be honest, is the traffic your wanting to forward even getting to pfsense?  You have rfc1918 on your wans - so did you uncheck block rfc1918??  Because that is on out of the box.. So if some nat router in front forwards to pfsense rfc1918 address.  Won't get past that rule..

    Even with you ascii art vs just posting an easy to read screenshot, can see that you still have that rule enabled
    States  Protocol  Source  Port  Destination  Port  Gateway  Queue  Schedule  Description  Actions
    0/1023 KiB *  RFC 1918 networks  *  *  *  *  *      Block private networks

    And looks like lots of hits to it even with the 1023 Number..



  • @doktornotor:

    @amt1989:

    wan2 is a connection used for wifi access to customers in a busy shop - this is why it is set to /16 because /24 wasnt giving enough leases and i just set it to this for ease

    ?!?! That'd be a (W)LAN, not WAN. ?!?!

    ??? ??? ???

    this is my fault for not explaining correctly
    it is a wan connection, not wlan

    upstream of pfsense (in a different building) there is another router that manages dhcp for wifi access



  • @johnpoz:

    "wan2 is a connection used for wifi access to customers in a busy shop"

    How is that a WAN??  So your leveraging some wifi network as pfsense backup wan connection?  Confused..  Why does a /16 on that interface have you putting a /16 on your other?

    So did you go through the port forwarding troubleshooting?
    https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

    Step 1 to be honest, is the traffic your wanting to forward even getting to pfsense?  You have rfc1918 on your wans - so did you uncheck block rfc1918??  Because that is on out of the box.. So if some nat router in front forwards to pfsense rfc1918 address.  Won't get past that rule..

    Even with you ascii art vs just posting an easy to read screenshot, can see that you still have that rule enabled
    States  Protocol  Source  Port  Destination  Port  Gateway  Queue  Schedule  Description  Actions
    0/1023 KiB *  RFC 1918 networks  *  *  *  *  *      Block private networks

    And looks like lots of hits to it even with the 1023 Number..

    Apologies for not explaining myself correctly, the wifi access is upstream, controlled by another router

    also i have checked, the WAN1 is a /24 subnet (i got the figure wrong when typing in)

    good spot on the private network block. i have now disabled these rules

    i will post screenshots later today as  am using teamviewer for access as i am out at work
    I have read some of the troubleshooting and will go through it in more detail later

    so i need to set any rules to allow wangroup to communicate with wan and wan2?


  • Rebel Alliance Global Moderator

    "so i need to set any rules to allow wangroup to communicate with wan and wan2?"

    Yeah you could allow traffic from 1 wan to talk to another wan through pfsense.. Your going to run into asymmetrical routing, unless you also nat traffic into wan1, from wan2 as your wan1 address, etc. Why would devices on wan 2 want to talk to devices on wan1?  And why would they be using pfsense wan2 address as their gateway?

    These are not really wans, they are just upstream networks from your downstream pfsense.  You would normally route traffic between these upstream networks at the upstream router(s)  Not on some downstream router that is not their gateways, etc.

    Why don't you draw up your network and what exactly it is your wanting to do/accomplish.. So far sounds like your going about it all wrong..  While pfsense for sure can be a downstream router/firewall in a larger network.  Why are you natting on it if your already on a larger rfc1918 network?

    And if your on a larger rfc1918 network, why would you want/need to setup multiple gateways into what amounts to the same larger network?  A drawing would be of great help in understanding what your trying to do…



  • as i menaioned above

    EDIT… WAN1 Was behind a virginmedia superhub set to Modem only but this was then only set to DHCP, i read that the wan interface needs to have a gateway selected which was not possible due to dhcp isp

    the only reason that the main connection is behind another "Router" is because i read that port forwarding may not work on a failover connection unless BOTH wan connections have a gateway set and this does not get set with a dhcp connection (or at least i couldnt find a way to do this)

    if this is not the case, i can turn the "Router" back into modem only mode and have Wan1 set to DHCP

    here is my basic network map

    the only thing upstream of WAN1 is the router 10.20.20.1
    the only client to this network is pfsense

    ![network drawing2.jpg](/public/imported_attachments/1/network drawing2.jpg)
    ![network drawing2.jpg_thumb](/public/imported_attachments/1/network drawing2.jpg_thumb)


  • Rebel Alliance Global Moderator

    Ok I would not connect it like that.  Why would your AP's not be behind pfsense?

    So you end up with this.

    You can use public on pfsense wan connections, or if need be they could be some rfc1918 transit network that does not conflict with any of your other networks..  They sure don't need to be /16's they could be normal transit network of /30 if you can not put your isp devices in bridge mode so that pfsense actually gets a public IP.  Public on wan of pfsense would be the preferred setup so your not having to double nat or port forward in multiple places, etc.

    Now traffic between your local networks does not have to nat.  You can just create easy firewall rules between your local networks, no port forwarding between them.  You can policy route any of your local networks out either of your wan connections.  Or can setup load balancing or failover, etc etc..

    You can use what ever sized network you need for your AP and wireless clients..  /16 seems really LARGE ;)  how many wifi clients do you normally have?  If your AP supports vlans and the switch they are connected to does as well.  Then you could run multiple different wifi networks with different rules to allow/block/etc for say guests or your devices, etc..




  • thanks for the quick reply

    Ok I would not connect it like that.  Why would your AP's not be behind pfsense?
    these are the aps only for the isp2 and customer wifi in the shop

    i have 5 others on my actual home network (they were not included in the drawing as they are not an issue)

    wireless clients..  /16 seems really LARGE ;)  how many wifi clients do you normally have?

    i did have /24 to start but changed to /16 after 3 hour dhcp period was getting filled.. on a busy day it has gone upto 300-350
    but usually its around 200-250

    You can use public on pfsense wan connections, or if need be they could be some rfc1918 transit network that does not conflict with any of your other networks..  They sure don't need to be /16's they could be normal transit network of /30 if you can not put your isp devices in bridge mode so that pfsense actually gets a public IP.  Public on wan of pfsense would be the preferred setup so your not having to double nat or port forward in multiple places, etc.

    yes the main isp WAN1 can be placed in bridge mode. it was in this mode. when my port forwarding did not work i read that all wans needed a gateway defined to port forward correctly and changed it

    If your AP supports vlans and the switch they are connected to does as well.
    The ap's do but my switching no. i am using unmanaged 24 & 8 port switches

    unfortunately, designing the network the way you say is not doable.  there is only 1 cable running between the two buildings
    I have thought about this for a while, but until i move house this wont be redesigned

    this setup i have here has worked fine as it is with port forwarding and everything i need it to with consumer grade routers, i have not had any trouble port forwarding until it comes to pfsense


  • Rebel Alliance Global Moderator

    "these are the aps only for the isp2 and customer wifi in the shop "

    What does that have to do with anything?  Let me think about - oh yeah nothing ;)  Put them behind pfsense.  Route them out ispX.. Allow if needed access into your network, etc.. That point is non sequitur for putting the connection behind pfsense.

    "there is only 1 cable running between the two buildings "

    Again confused as to what that has to do with anything.. So isp1 is in building 1 and isp is in building 2?  Or both are in a building and you need both access in another building?  Either way you can still connect these networks to pfsense no matter what building pfsense is in, and could use 1 wire if need be.  That is the whole beauty of vlans..

    "this setup i have here has worked fine as it is with port forwarding and everything i need it to with consumer grade routers"

    How so - you seem to be here on pfsense asking questions.. So not sure I would agree that all is fine ;)

    Ok busy day 350.. So use a /23 ;)  Now you have 500 IPs to work with..  As to your isp devices if only 1 can be in bridge mode, ok use that in bridge mode - if your other can not then you use a rfc1918 transit on that connection..

    As to a wan needing a gateway.. Yeah they do.. How else would it be a wan if it had no gateway to get anywhere but the network it was connected to?  If your isp device is in bridge mode then your pfsense would get a public IP, with a gateway address to your isp..

    Smart switches that do vlans can be had for very small budgets.. You could get a 8 gig smart switch that does vlans for like $40.. Larger port density smart/managed switches to get a bit more in $..  But still very reasonable home budget doable..  Here is a managed 24 port gig switch for $215.. Very home budget friendly
    https://store.ubnt.com/unifi/unifi-switch-24.html

    Do what you want, just suggesting that if you have migrated to pfsense from soho routers..  Why not design/setup your network so that you can leverage the features that pfsense brings to the table, etc.  Once you want to start segmenting your networks, its time to migrate to atleast entry level smart switches that can handle segmentation via vlans.



  • I aprechiate the help with trying to redesign my network, but for now it is ok, i dont want to or plan to redesign anything any time soon
    yes, i know that this setup is not ideal in any world but it has evloved and been added to over a few years

    I have wanted to use pfsense for a while because of just doing it.

    **"this setup i have here has worked fine as it is with port forwarding and everything i need it to with consumer grade routers"

    How so - you seem to be here on pfsense asking questions.. So not sure I would agree that all is fine ;)**

    when your router physically fails 1 week before christmas there arent many options. so i thought that i would give pfsense a go…
    it was either that or order another one of the same or even a ubiquiti ER Lite (all of my aps are ubiquiti)

    with my previous router Asus rt-ac87u my network setup was the same as this. port forwarding working fine, vpn server, dual wan failover, dynamic dns

    but as anything, budget is always a problem, especially this close to christmas. i did not have another £180 to spend on the router. i already had a pc and dual nic available

    so please, i am just asking for help with forwarding the ports through WAN1 correctly

    later on today i will amend wan1 upstream router back to bridge and change wan1 mode to dhcp



  • update, i have now changed things

    upstream-
    WAN1. isp is now in bridge mode, directly connected to pfsense. and pfsense is set to dhcp on wan1
    WAN2 changed the upstream router. now set to 10.10.1.1/24

    Pfsense now set to 192.168.1.1/24