Port forwarding seems to work a bit odd
I have a small problem - I've created a few port forwards for various ports. Some of them work, some don't. For example:
WAN TCP 80 (HTTP) 192.168.1.251
(ext.: 18.104.22.168) 80 (HTTP) Web
WAN TCP 21 (FTP) 192.168.1.250
(ext.: 22.214.171.124) 21 (FTP) FTP
these work. However:
WAN TCP 5921 192.168.1.1
(ext.: 126.96.36.199) 5921 Torrent
WAN TCP 10000 192.168.1.10
(ext.: 188.8.131.52) 10000 Torrent
these don't work. I actually created the rules starting from the first one that worked, and just kept going.
All my LAN IPs that have ports forwarded are reserved in DHCP.
I'm testing the ports with the utorrent port checker - 21, 25, 80, 110, 1919, 1937, 1950 all work. The others don't.
In the firewall logs I find this [for ex]:
Sep 24 03:55:38 WAN 184.108.40.206:40768 220.127.116.11:1054 TCP
[The rule that triggered this action is: @70 block drop in log quick all label "Defaul block all just to make sure.""
I checked the firewall rules, and apart from those that were created by the NAT, there's just the "Block private networks" rule which comes by default.
Anyone have an idea? I see no pattern there…
Also, if this should be more of a firewall issue, please move the thread.
I should say that I'm a complete noob when it comes to xBSD/pf :D
Thanks in advance!
When you create a new portforwarding rule there is at the bottom at checkbox "Auto-add a firewall rule to permit traffic through this NAT rule"
If you just copy a NAT rule the appropriate firewall-rule doesnt get created.
Go to firewall and create the needed rules.
Ok, I've thought about that… All my port-forward rules have corresponding firewall rules. For example:
NAT - WAN TCP 1140 192.168.1.250(ext.: 18.104.22.168) 1140
FW - TCP * * 192.168.1.250 1140 * NAT
This works. But the next one doesn't:
**NAT - WAN TCP 7026 192.168.1.250(ext.: 22.214.171.124) 7026
FW - TCP * * 192.168.1.250 7026 ***
I'm stumped… The rules that work are defined just like those that don't... And I don't think 18 NAT/FW rules are too much to ask.
Please show screenshots of your rules
and how you tested that it "doesnt work".
Okay, screenshots are here:
How have I tested? uTorrent port checker, canyouseeme.com, no traffic on those ports, the messages I showed above [from the firewall log], can't connect from outside networks… For example I can connect on 4000, but not on 7026, 1054, etc...
I'm stumped... They all look the same, yet not all work.
So some work and some dont?
Is it possible that there is another firewall involved?
Does your ISP block certain ports?
Did you make sure that when you run the test there actually is a service running on the port on the computer to which you forward traffic?
I've checked everything - I was using these ports and services before installing pfSense, so they're open. My ISP doesn't block anything…
Quick thought - I tried the traffic shaping bit at one time, then disabled it. Could there have been some left-over settings that can interfere?
Maybe I'll just reinstall it and configure it again from the ground. It shouldn't take more than 30 min so I can just use the old 1721 router…