Port forwarding seems to work a bit odd



  • Hi guys,

    I have a small problem - I've created a few port forwards for various ports. Some of them work, some don't. For example:

    WAN  TCP  80 (HTTP)  192.168.1.251
    (ext.: 85.186.182.102) 80 (HTTP) Web
    or
    WAN  TCP  21 (FTP)  192.168.1.250
    (ext.: 85.186.182.102) 21 (FTP) FTP

    these work. However:

    WAN  TCP  5921  192.168.1.1
    (ext.: 85.186.182.102) 5921  Torrent
    or
    WAN  TCP  10000  192.168.1.10
    (ext.: 85.186.182.102) 10000  Torrent

    these don't work. I actually created the rules starting from the first one that worked, and just kept going.
    All my LAN IPs that have ports forwarded are reserved in DHCP.

    I'm testing the ports with the utorrent port checker - 21, 25, 80, 110, 1919, 1937, 1950 all work. The others don't.

    In the firewall logs I find this [for ex]:
    Sep 24 03:55:38  WAN  72.20.34.145:40768  85.186.182.102:1054  TCP
    [The rule that triggered this action is: @70 block drop in log quick all label "Defaul block all just to make sure.""
    I checked the firewall rules, and apart from those that were created by the NAT, there's just the "Block private networks" rule which comes by default.

    Anyone have an idea? I see no pattern there…

    Also, if this should be more of a firewall issue, please move the thread.

    I should say that I'm a complete noob when it comes to xBSD/pf :D

    Thanks in advance!



  • When you create a new portforwarding rule there is at the bottom at checkbox "Auto-add a firewall rule to permit traffic through this NAT rule"

    If you just copy a NAT rule the appropriate firewall-rule doesnt get created.
    Go to firewall and create the needed rules.



  • Ok, I've thought about that… All my port-forward rules have corresponding firewall rules. For example:

    NAT - WAN  TCP  1140  192.168.1.250(ext.: 85.186.182.102) 1140
    FW - TCP  *  *  192.168.1.250  1140  *    NAT

    This works. But the next one doesn't:

    **NAT - WAN  TCP  7026  192.168.1.250(ext.: 85.186.182.102) 7026
    FW - TCP  *  *  192.168.1.250  7026  ***

    I'm stumped… The rules that work are defined just like those that don't... And I don't think 18 NAT/FW rules are too much to ask.



  • Please show screenshots of your rules
    and how you tested that it "doesnt work".



  • Okay, screenshots are here:

    http://acoustiq.ro/pf/NAT.png
    http://acoustiq.ro/pf/rules.png

    How have I tested? uTorrent port checker, canyouseeme.com, no traffic on those ports, the messages I showed above [from the firewall log], can't connect from outside networks… For example I can connect on 4000, but not on 7026, 1054, etc...

    I'm stumped... They all look the same, yet not all work.



  • So some work and some dont?
    Is it possible that there is another firewall involved?
    Does your ISP block certain ports?
    Did you make sure that when you run the test there actually is a service running on the port on the computer to which you forward traffic?



  • I've checked everything - I was using these ports and services before installing pfSense, so they're open. My ISP doesn't block anything…



  • Quick thought - I tried the traffic shaping bit at one time, then disabled it. Could there have been some left-over settings that can interfere?

    Maybe I'll just reinstall it and configure it again from the ground. It shouldn't take more than 30 min so I can just use the old 1721 router…


Locked