Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port-forwarding: Clarification needed

    NAT
    3
    9
    2.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pfsensibility
      last edited by

      I just want to double check that I have this right.

      I am having trouble with getting Plex (:32400) to work with port forwarding (well actually that's not completely true as plex.tv is working so idk…). These are the results from canyouseeme.org, which seems to indicate that pfSense is correctly forwarding the port (:12345 to :32400 in this example), but is being intercepted by the firewall on the host machine (CentOS running FirewallD).

      This is the output from Diagnostics > States.

      
      WAN    tcp    52.202.215.126:55317 -> 10.0.0.123:32400 (00.00.00.00:12345)    CLOSED:SYN_SENT    2 / 0    120 B / 0 B
      

      I won't ask here about FirewallD, but I hoped that it might save me from looking at any more pfSense guides (as well as offer some bloke, with a similar issue, some guidance).

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Yeah sure looks like traffic was forwarded.  But not answered.. This points to firewall on plex box.

        If you want to actually see it.. Just sniff on pfsense interfasce for plex network (lan I would assume) and then try your test again.  Do you see the syn go out to the plex box, and the correct mac address for your plex IP..  If so and no answer then yeah either firewall on plex server or some other reason packet never got to plex or its answer didn't come back to pfsense..

        For example if plex is using different gateway than pfsense you would have the same symptoms..

        How exactly are you trying to access your server When local, are you using  plex.direct is kind of odd bird.. It can return your plex servers rfc1918 address..  This can be blocked if your using rebinding its protection, etc. Are you using https for your connections? etc..

        I personally go direct to my plex server via its local name storage.local.lan or its IP and when remote I use my public IP or fqdn that points to my public IP.  The remote is normally always off - I vpn in to access my plex when not on my local network.

        But yeah plex does some stuff to make it easier for your typical user running some soho router and UPnP and enabling remote access.. Most users dns does not do any sort of rebinding protection, etc..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • P
          pfsensibility
          last edited by

          Alright, so this is weird. I ran Packet Capture and ran my external port-checker tests again and saw no packets. Then I tried running an internal port-checker (via pfSense) and saw packets galore (and it could see my plex box). So does this mean pfSense is not forwarding the packets onto the internal network, or is that expected behavior? I can upload my rules if need be.
          As an aside, I did not see any MAC address, so I assume that I just ran a different test than the one you were thinking.

          Typically I use 'local_server':32400/web to access plex management. I did get plex.direct working, but I only used that for troubleshooting. I really want to get https working, but I was having some trouble with setting up a CA. I plan to get to it later.

          I was having some difficulty forwarding other ports, but rather than come onto the forum wanting to forward 'all the ports!' I thought I'd just stick with one, plex, because it's setup has become fairly standard by now. Also, I am not sure how easy it will be to teach my brother about VPN.

          True, a soho router will make things easier, but in the end, it doesn't teach you much.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            where did you run packet capture?  If your not seeing packet capture on your lan but see them on your wan then you have a forwarding issue..

            Who said anything about using a soho router?

            As to not see mac address??  You would need to look for it.. Not going to jump out and bit you on the nose??

            Sure post up your firewall rules.. As to
            "'local_server':32400/web"

            So you access it via is local name that resolves to rfc1918 address?  Or are you access it from the plex server direct?

            As to doing a sniff.. If your not seeing packet capture on pfsense then your either not sniffing on correct interface, put in some filter for wrong something or let it sniff for everything and hit your 100 packet setting?  This really is no brainer stuff..

            Here I sniffed on my wan for port 32400, did a test from canyouseeme - shows down, but I see the packets in my sniff.

            I then create the port forward and then sniff on my LAN interface on pfsense with packet capture.. There you see pfsense sending traffic to my plex on 192.168.9.8 and the response.  And now canyouseeme says the port is good.

            if your having issues with port forwarding in general then your doing something wrong, or checking it wrong?  Ie trying to do nat reflection when nat reflection is not setup.  Or your ISP is blocking the ports, etc.  Post up your rules both your nats and your wan firewall rules.

            Go through the port forwarding troubleshooting doc
            https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

            2nd pic you see my firewall rules and my port forward including the new 32400 I did for this test.

            packetcapture.png
            packetcapture.png_thumb
            portforward.png
            portforward.png_thumb

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            • P
              pfsensibility
              last edited by

              @johnpoz:

              Who said anything about using a soho router?

              You did in your previous post. I apologize if I confused things. I think you were just saying that most soho routers don't run into these kind of problems because of UPnP.

              @johnpoz:

              where did you run packet capture?

              I ran multiple tests from both the Packet Capture WebGUI tool in PFsense and tcpdump from the shell. Both confirmed that no packets were being sent on the LAN on port 32400. Thus no ports were being forwarded. Just to insure it was not a firewall issue on the target machine, I ran a port check locally for Plex and I got a response back.

              As for the MAC address, I just did not see MAC addresses in the output from either test, so I was just trying to be sure I was not performing the wrong one. I guess the point is kind of moot now, since we've discovered the traffic is not even getting past the firewall??

              @johnpoz:

              So you access it via is local name that resolves to rfc1918 address?  Or are you access it from the plex server direct?

              Most of the time I just use the rfc1918 address.

              @johnpoz:

              As to doing a sniff.. If your not seeing packet capture on pfsense then your either not sniffing on correct interface, put in some filter for wrong something or let it sniff for everything and hit your 100 packet setting?  This really is no brainer stuff..

              Which is why this is so frustrating. I have lost count over the number of times I have checked things over. And I fear that the answer will just be some simple/random setting, like it always is with computers.

              Tried the port forwarding troubleshooting and everything seems to correspond.

              Could it be related to any packages, like pfblockerNG? I've tried disabled a few of the ones I thought could be causing a problem, but that has yet to fix anything.

              Edit: Sorry for the double post, if any of you saw it.

              plex_nat.png_thumb
              plex_nat.png
              pfsense_firewall.jpg_thumb
              tcpdump.jpg
              tcpdump.jpg_thumb
              pfsense_firewall.jpg

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                You do realize that you are not listening for connections on WAN to 32400, but translating WAN address:41222 to 10.0.0.51:32400 right?

                When I looked at plex I remember it being pretty picky about that stuff.

                Hmm. Just saw your port test, so I guess so.

                I would run a packet capture on the interface to 10.0.0.51, filtered on port 32400. Post the results.

                You can also look at Diagnostics > States, filtered on 41222. When you get the source IP address of the port checker from that, use it as a filter there instead. That will show the states on the inside and outside interfaces.

                Post those.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • P
                  pfsensibility
                  last edited by

                  You mean igb1? Yeah igb1 is the LAN port and igb0 is the WAN port. I want to see the packets on the LAN, correct?

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    Edited the above.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • P
                      pfsensibility
                      last edited by

                      Alright, looking at the IP of the Port Checker was the right call because it showed that the traffic on 10.0.0.51 was using the OpenVPN interface on the PFsense router. It should not have been doing that though. Maybe it's paranoid?

                      In all seriousness thank you for the help!

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.