Port forwarding seems to work a bit odd

acoustiq

Hi guys,

I have a small problem - I've created a few port forwards for various ports. Some of them work, some don't. For example:

WAN  TCP  80 (HTTP)  192.168.1.251
(ext.: 85.186.182.102) 80 (HTTP) Web
or
WAN  TCP  21 (FTP)  192.168.1.250
(ext.: 85.186.182.102) 21 (FTP) FTP

these work. However:

WAN  TCP  5921  192.168.1.1
(ext.: 85.186.182.102) 5921  Torrent
or
WAN  TCP  10000  192.168.1.10
(ext.: 85.186.182.102) 10000  Torrent

these don't work. I actually created the rules starting from the first one that worked, and just kept going.
All my LAN IPs that have ports forwarded are reserved in DHCP.

I'm testing the ports with the utorrent port checker - 21, 25, 80, 110, 1919, 1937, 1950 all work. The others don't.

In the firewall logs I find this [for ex]:
Sep 24 03:55:38  WAN  72.20.34.145:40768  85.186.182.102:1054  TCP
[The rule that triggered this action is: @70 block drop in log quick all label "Defaul block all just to make sure.""
I checked the firewall rules, and apart from those that were created by the NAT, there's just the "Block private networks" rule which comes by default.

Anyone have an idea? I see no pattern there…

Also, if this should be more of a firewall issue, please move the thread.

I should say that I'm a complete noob when it comes to xBSD/pf :D

Thanks in advance!

GruensFroeschli

When you create a new portforwarding rule there is at the bottom at checkbox "Auto-add a firewall rule to permit traffic through this NAT rule"

If you just copy a NAT rule the appropriate firewall-rule doesnt get created.
Go to firewall and create the needed rules.

acoustiq

Ok, I've thought about that… All my port-forward rules have corresponding firewall rules. For example:

NAT - WAN  TCP  1140  192.168.1.250(ext.: 85.186.182.102) 1140
FW - TCP  *  *  192.168.1.250  1140  *    NAT

This works. But the next one doesn't:

**NAT - WAN  TCP  7026  192.168.1.250(ext.: 85.186.182.102) 7026
FW - TCP  *  *  192.168.1.250  7026  ***

I'm stumped… The rules that work are defined just like those that don't... And I don't think 18 NAT/FW rules are too much to ask.

GruensFroeschli

Please show screenshots of your rules
and how you tested that it "doesnt work".

acoustiq

Okay, screenshots are here:

http://acoustiq.ro/pf/NAT.png
http://acoustiq.ro/pf/rules.png

How have I tested? uTorrent port checker, canyouseeme.com, no traffic on those ports, the messages I showed above [from the firewall log], can't connect from outside networks… For example I can connect on 4000, but not on 7026, 1054, etc...

I'm stumped... They all look the same, yet not all work.

GruensFroeschli

So some work and some dont?
Is it possible that there is another firewall involved?
Does your ISP block certain ports?
Did you make sure that when you run the test there actually is a service running on the port on the computer to which you forward traffic?

acoustiq

I've checked everything - I was using these ports and services before installing pfSense, so they're open. My ISP doesn't block anything…

acoustiq

Quick thought - I tried the traffic shaping bit at one time, then disabled it. Could there have been some left-over settings that can interfere?

Maybe I'll just reinstall it and configure it again from the ground. It shouldn't take more than 30 min so I can just use the old 1721 router…