Some Port Forwarding some not?

  • Hi, looking for some clarity. I know there are many port forwarding topics, wiki and videos and blogs for pfsense. Which I believe I have followed. But so much material im not sure since some of mine work and some dont? Which they are all copies of the originals?

    I believe I have the NAT records correct. as some ports are open and work, Like HTTPS, SSH-22, Plex and MS RDP. The ones that dont are 80 HTTP and FTP 21..

    Source Add: *
    Source Port: *
    Dest Add: WAN address
    Dest Port: 80 (HTTP)
    Nat IP:
    Nat Port: 80 (HTTP)

    Now my setup is WAN, LAN, OPT1, OPT2 each with its own network card (Single IP). I do have VLAN off OPT1 where my webserver is hosted as VM on ESXi. All configured correctly as ESXi and the Webserver can do outbound/inbound internet. Matter of fact. I have another server (on Esxi same vlan) just hosting a game server for Arma3 on UDP ports 2300-2305 and is visible on internet also using NAT forwarding.

    I just cant port 80 out? (I did state 21 but will take that up later)

    I have tried moving the server to the LAN interface and then port forward that, but that didnt work either.

  • You can't NAT port 80 if you have WebGUI running on that port.

    For FTP, you also need to forward the passive port range that your FTP server is using, and also make sure its reporting its public IP address, not LAN IP, or your FTP clients will complain they can't route to the server.

  • Thanks Kom.. but I am on port 441 for Webgui and using https? for FTP passing passive ports.. will look at the public IP points you raised. Its not a biggie the FTP for me, just a like to have. Its the Webserver that is really got me.

  • OK then, post screens of your NAT and WAN rules.

  • Kom thanks for taking the time here.

    I posted what you requested and including the alaises.

    ![NAT Rules.jpg](/public/imported_attachments/1/NAT Rules.jpg)
    ![NAT Rules.jpg_thumb](/public/imported_attachments/1/NAT Rules.jpg_thumb)
    ![WAN Rules.jpg](/public/imported_attachments/1/WAN Rules.jpg)
    ![WAN Rules.jpg_thumb](/public/imported_attachments/1/WAN Rules.jpg_thumb)
    ![port alias.jpg](/public/imported_attachments/1/port alias.jpg)
    ![port alias.jpg_thumb](/public/imported_attachments/1/port alias.jpg_thumb)

  • That looks good.  You're sure you're not running WebGUI on 80?  Check your web server's access log.  Do you see anything?  The rule shows that some traffic (69KB) has been processed.  You could also run packet captured on WAN and LAN to see what's going on with the traffic.  Have you gone through this doc yet:

  • Banned

    sockstat -P tcp | grep :80

  • LAYER 8 Global Moderator

    49152 to 65535.. That is a shitton of passive ports.. Do you really plan on have like 16000 some users on your ftp server at the same time?

    You have your printer open to the public internet??  Are you wanting printouts of goatse or something?  Why do you have 1900 open to your plex.. That is sure not required for remote access to your plex..

  • Banned


    49152 to 65535.. That is a shitton of passive ports.. Do you really plan on have like 16000 some users on your ftp server at the same time?

    Probably some popular pr0n FTP server. :D

  • @doktornotor I tried your sockstat command and it came back as blank in ssh.

    @Kom "Not running WebGui on 80" I believe I'm not, is there any other spot it would need changing then the "System>Advance>Admin Access" top 3 config items? Protocol, SSL Cert, TCP Port I am providing my screen.

    I am wondering I if should start with a fresh install and open the ports first, just have a lot of settings. I guess I can back up the critical settings individually and start new then load those that are basic (dhcp, interfaces, alias, vlans)

  • is there any other spot

    No I think that's it.  Did you go through the troubleshooting guide item by item?  Did you try any of my suggestions, like checking your server log or doing a packet capture?

  • Banned

    Have you unticked the WebGUI redirect in System > Advanced > Admin Access?

  • Doktornotor, it was checked. I did just uncheck it and still same issue.

    Wouldn't this be checked, since I do not want it to bypass the listening port I have configured? Thats what I am reading into it.

    WebGUI redirect - Disable webConfigurator redirect rule
    When this is unchecked, access to the webConfigurator is always permitted even on port 80, regardless of the listening port configured. Check this box to disable this automatically added redirect rule.

    @Kom, i did as stated under #5, did a port capture on WAN first then I did local IP. Wan is in attachment looks like there is some traffic, but local IP had no traffic in the capture. Can I assume between Wan and local its trapped or not getting down?

    I also checked the states section , and see no traffic coming inbound to port 80 so they look to be conflicting outputs.

    I have another PC available, I think I will create a new pfsense box 'plain vanilla' and try from scratch to see if that works. Greatly appreciate all your inputs that have been useful. I will let you know if the new box does open the port.

    [iphone to IP and www.txt](/public/imported_attachments/1/iphone to IP and www.txt)

  • Banned

    I meant to disable the redirect. (No idea what's the current state of "tick this to disable that" code review, probably went nowhere.)

    Other than that, there are logs and packet capture. No point in another 20 random guesses. E.g., 80 is often blocked by ISPs for SOHO customers.

  • Totally Perplexing now. Fired up a new clean install pfsense, Just one NAT forwarding for HTTP and still no visible webserver. Ok time to call ISP again. Called yesterday and they said they are not blocking 80 and all dns records are correctly configured.

  • Can I assume between Wan and local its trapped or not getting down?

    Perhaps.  How are you testing again?  From he WAN side or LAN side?

  • LAYER 8 Global Moderator

    Why do you need to call the ISP to see if they are blocking.. A 2 second test of packet capture on wan - and then going to something like can you see me . org tells you right away if 80 is allowed inbound to your IP..

    You can call your ISP all you want, but until you do this simple test your not going to have proof one way or the other..

Log in to reply