Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Problem 'opening' ports

    Firewalling
    3
    6
    888
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      julio.uk
      last edited by

      Well after few days looking information I can't find solutions for this, I think there is something blocking traffic but I can't see where, the point is, I trying to implement two ssh server(for testing) the first one is running in port 22 and the second is on 2222, both are accessible in LAN but only the server in 22 is reachable across WAN, I scan the ports of the server and I only have 22,53,80 and 443 but not the 2222 port.

      I have this schema(nat forwarding for both ports)

      wan(22)    -> firewall(NAT-forwarding) -> VLAN -> server1(22)    [this is working]
      wan(2222) -> firewall(NAT-forwarding) -> VLAN -> server1(2222) [this is not working]

      I tried to do the same in another platform and works fine, I'm using haproxy in the server but only take the ports 80 and 443, this testing environment is in an esxi server, the esxi firewall looks, I don't know what check, some hint?

      thanks!!

      1 Reply Last reply Reply Quote 0
      • N
        Nullity
        last edited by

        @julio.uk:

        Well after few days looking information I can't find solutions for this, I think there is something blocking traffic but I can't see where, the point is, I trying to implement two ssh server(for testing) the first one is running in port 22 and the second is on 2222, both are accessible in LAN but only the server in 22 is reachable across WAN, I scan the ports of the server and I only have 22,53,80 and 443 but not the 2222 port.

        I have this schema(nat forwarding for both ports)

        wan(22)    -> firewall(NAT-forwarding) -> VLAN -> server1(22)    [this is working]
        wan(2222) -> firewall(NAT-forwarding) -> VLAN -> server1(2222) [this is not working]

        I tried to do the same in another platform and works fine, I'm using haproxy in the server but only take the ports 80 and 443, this testing environment is in an esxi server, the esxi firewall looks, I don't know what check, some hint?

        thanks!!

        From an external host, if you attempt to connect to port 2222 while running tcpdump you should see which IP is blocking access. This would determine whether your ISP is blocking it or if you still have some misconfiguration on your side.

        You could also run tcpdump on pfSense and/or server1 to see where the packets are stopping, assuming it's somewhere within your network.

        Please correct any obvious misinformation in my posts.
        -Not a professional; an arrogant ignoramous.

        1 Reply Last reply Reply Quote 0
        • J
          julio.uk
          last edited by

          @julio.uk:

          From an external host, if you attempt to connect to port 2222 while running tcpdump you should see which IP is blocking access. This would determine whether your ISP is blocking it or if you still have some misconfiguration on your side.

          You could also run tcpdump on pfSense and/or server1 to see where the packets are stopping, assuming it's somewhere within your network.

          Hi, thanks at all, well I executed tcpdump in both sides, in the client I took this

          
17:46:55.759531 IP 192.168.0.3.57441 > domain.local.rockwell-csp2: Flags [s], seq 1881700303, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1263744818 ecr 0,sackOK,eol], length 0
17:46:56.761145 IP 192.168.0.3.57441 > domain.local.rockwell-csp2: Flags [s], seq 1881700303, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1263745818 ecr 0,sackOK,eol], length 0
17:46:57.763523 IP 192.168.0.3.57441 > domain.local.rockwell-csp2: Flags [s], seq 1881700303, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1263746818 ecr 0,sackOK,eol], length 0
17:46:58.765254 IP 192.168.0.3.57441 > domain.local.rockwell-csp2: Flags [s], seq 1881700303, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1263747818 ecr 0,sackOK,eol], length 0
17:46:59.770129 IP 192.168.0.3.57441 > domain.local.rockwell-csp2: Flags [s], seq 1881700303, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1263748818 ecr 0,sackOK,eol], length 0
17:47:00.771967 IP 192.168.0.3.57441 > domain.local.rockwell-csp2: Flags [s], seq 1881700303, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1263749818 ecr 0,sackOK,eol], length 0
17:47:02.779654 IP 192.168.0.3.57441 > domain.local.rockwell-csp2: Flags [s], seq 1881700303, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1263751818 ecr 0,sackOK,eol], length 0
17:47:06.788510 IP 192.168.0.3.57441 > domain.local.rockwell-csp2: Flags [s], seq 1881700303, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1263755818 ecr 0,sackOK,eol], length 0
17:47:14.800564 IP 192.168.0.3.57441 > domain.local.rockwell-csp2: Flags [s], seq 1881700303, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1263763818 ecr 0,sackOK,eol], length 0
17:47:30.826908 IP 192.168.0.3.57441 > domain.local.rockwell-csp2: Flags [s], seq 1881700303, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1263779818 ecr 0,sackOK,eol], length 0
17:48:02.879095 IP 192.168.0.3.57441 > domain.local.rockwell-csp2: Flags [s], seq 1881700303, win 65535, options [mss 1460,sackOK,eol], length 0+

and in the server nothing:
[code]
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vmx0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C
0 packets captured
7477 packets received by filter
0 packets dropped by kernel
[/code]
I see nothing in the client output, looks correct right?

PD: If I try to test the port putting the wan ip in the pfsense test port, pfsense said 'Connection failed.'[/s][/s][/s][/s][/s][/s][/s][/s][/s][/s][/s]
          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • J
              julio.uk
              last edited by

              @Derelict:

              https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

              Thanks for the info, I checked the list but everything is ok, I don't see any package, I try to move the ssh server to port 53(dns) temporally and test it, and works fine, I can see how the server take the packages so, after this I tried to add a block rule to port 53 and works too, I'm using this server to experiment with haproxy, it's possible the haproxy is doing something?

              I think there is something blocking the traffic to the server, because the tcpdump always get the packets right? even if you have different services, tcpdump just show you the packages in the interfaces, so if I have not packages there is something in front the server blocking these ports right?

              1 Reply Last reply Reply Quote 0
              • J
                julio.uk
                last edited by

                Well after talk with my server provider and check his network everything is running fine, they was using a firewall in front my server, thanks everyone for help me!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post