Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Newbie - Need help with Port Forwarding.

    Scheduled Pinned Locked Moved NAT
    10 Posts 2 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      RDabate
      last edited by

      Hi,

      I just got pfsense up and running so I'm still learning.  Attached is my first attempt at port forwarding for my Plex app.  However, I'm doing something wrong because is not working.

      Can someone point me in the right direction? 
      pf.png
      pf.png_thumb

      1 Reply Last reply Reply Quote 0
      • R
        RDabate
        last edited by

        I never got this to work and ended up enabling UPnP & NAT-PMP.  With this enabled, the app was able to access the web.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          The app accessing the web has ZERO to do with you access it remotely..

          Do you mean the testing of remote access in plex and the little green check mark?

          Your rule looks correct.. But without seeing what your wan rules were/are its quite possible rule for your nat was below something that blocked it.  Or you were testing from internally and would need nat reflection for that to work.  There is also the whole thing with plex and rebinding protection as well.

          Did you go through the troubleshooting guide?
          https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

          To be honest I see zero reason to forward this - do you have guests that use up your bandwidth watching your plex?  Or is this just for you to access while your away from home or while your on your cell data plan?  If so the more secure way to do it would be a vpn connection.  This is how access my plex while away..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • R
            RDabate
            last edited by

            Yes, I'm working with Plex to get the green box enabled for external access for remote user viewing.  Being that I'm not familiar with this yet, I see your point about the order. I will probably go back and test some more this week. Would you consider upnp a security risk?  I enabled it just to make things work, but I'm not sure this is how I want to keep it? My goal is to make everything as secure as possible.

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              Is UpnP a security risk??  Hmmm lets think about it for a second.. A protocol that is allowed to open up ports in your firewall to allow for unsolicited inbound traffic without any form of auth or identification.. Why would that be of concern?? hmmmm <grin>Did you atleast lock id down to say only the IP of of your plex could only open up ports inbound to the plex?

              Plex needs exactly 1 port inbound.  There is zero reason to allow upnp to do that.

              "My goal is to make everything as secure as possible."

              And opening up the whole internet to your plex server seems like a way to go about that ;)  The secure way to go about accessing your plex while remote would be to vpn into your network..  This would require secure authentication from a device you installed the openvpn client on with the cert, etc. etc.  And then even then could be locked down to only access your plex if you so desired.  So that would magnitudes more secure then just allowing the whole internet into your plex server.. With the only form of auth the username and password you have set - and the security of the service serving it up..</grin>

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • R
                RDabate
                last edited by

                Thanks for the "Learning".  Your sarcasm is both welcomed and appreciated.  :)

                I'm back in testing mode.  UPnP has been disabled, and the port forwarding rule from earlier re enabled.  I attached both LAN / WAN screen shots from Firewall > Rules > LAN.  The rules here, (besides Plex) were already there by default.  I'm not sure if I should be doing anything with this?  Also, I attached my IP info.  I see IPv6 stuff here, and I believe it's all disabled?  Not sure if that could be causing a problem?

                Thank you for the help,….......... and patience.

                1.png
                1.png_thumb
                lan.png
                lan.png_thumb
                wan.png
                wan.png_thumb

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  Do you have something in front of pfsense doing nat?  I doubt it if you say UPnP worked..

                  I see no hits on your plex rule on your wan.. So to me nothing has tried to access it.. Or there would be something there vs 0/0… Simple test to see if your port forwarding is working is go to canyouseeme.org and put in your port and make sure its using your actual public IP.. Does it show open??

                  So for example I opened up my plex from the outside for a quick test.

                  The rfc1918 and bogon are on by default -- they should not be causing you problems unless your behind a nat for pfsense wan. You do not see them in my rules because I don't think there is any valid reason for them..  All they do is block things from hitting your forwarded/allowed ports.  Neither bogon and rfc1918 can actually route on the internet ;)  So while yes they are typical rules you see on a wan.  I just don't seem them as useful I remove them to keep my wan rules easier to read ;)

                  As to your ipv6.. Sure it could be causing you a problem if your plex is trying to use ipv6 and you don't have that open..

                  Personally if your not going to be actively using ipv6 - I would turn it off.. Disable it on your devices until such time you spend the time to set it up correctly.  You can see that your PC has an IPv6 and also has teredo (ipv6 conversion tech over ipv4).. MS in their infinite wisdom thought every machine should have 3 different ways to tunnel ipv6 over ipv4 along with native dual stack.. isatap, teredo and 6to4.. arrrghhhh..

                  My machine normal workstation doesn't have ipv6 enabled - click and it can if I want to test something with it, etc.  There are only a few devices on my network that have it on all the time.  My ntp server that serves up ntp to the pool has it on for example..  But in general its off unless I am playing with it.. But for example if you come over and use my guest network your phone will get and use an IPv6 IP, etc.

                  edit: And 2nd pic you can see I turned it off again.. Because its NOT secure to open my plex server to the whole freaking internet ;)

                  plex.png
                  plex.png_thumb
                  plexblocked.png
                  plexblocked.png_thumb

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • R
                    RDabate
                    last edited by

                    There is nothing in-front of pfsense besides the modem.  pfsense is connected directly from the modem > Into LAN1, then out LAN2 to my switch.  I tested the port @ http://canyouseeme.org/ and it was successful.

                    As a test, (and yes, I know, not secure), I changed the RDP listening port on one of my machines.  Configured port forwarding.  Remoted into my machine at work to see it I could RDP in.  And it worked.  So that tells me again, that port forwarding is working.  So, I guess I'm chasing a ghost here and must be an issue with my Plex machine?  But that doesn't explain why upnp worked, and port forwarding isn't?

                    1 Reply Last reply Reply Quote 0
                    • R
                      RDabate
                      last edited by

                      Ok!  I'm finally up an running.  I thought my old router was powered off, but it wasn't.  It was still on the network.  I'm guessing, somehow, it was interfering with the new pfsense setup.

                      Either way, this was a learning experience.

                      :)

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        Was is running dhcp??  Did it have the same IP as pfsense?  How exactly what it connected in your network?

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.