NAT/Port Forwarding not working



  • Hey everyone!
    I need some help figuring out this NAT/Port Forwarding problem I am facing. I recently got myself a mini PC with 4-Gigabit LAN ports and using that as a pfSense router. By no means am I an expert at networking, but I try to learn as I come across new devices and technologies.

    Background:
    Due to network speed issues and intermittent downtime with my ISP1, I subscribed to an alternate connection from ISP2. Now I have both lines and I wish to use them as failover or load balancing, preferably load balancing.
    My earlier setup included an Asus RT66UAC router (Dual WAN - Fail-Over only) capable router performing the routing, failover, Wi-Fi and a USB drive media share all over the network. I also have another D-Link and Netgear router connected to the Asus RT66UAC via an unmanaged switch on the other floor of the house. Both these routers help manage the connection between desktops, phones, and laptops.
    I also have wireless IP cameras connected to the network (recording directly onto an SD card and streaming via TCP/UDP and RTSP) which is monitored from both internally and externally.

    I have a subscription from DynDns as my ISP1 provides a dynamic public IP. My ISP2 only provides private IP and hence I will not be able to use port forwarding to view my IP cameras externally. Yes, when my ISP1 is down, there is no way I used to be able to get access.

    Problem:
    After setting up my new pfSense router, I assigned static IP's and port numbers to the IP cameras.

    I can access the IP cameras over LAN using the IP address and port numbers, and monitor them using apps. However, I am unable to view them from an external network.

    I have tried going through many videos, forums and tutorials. All but in vain  :'(
    The port says it is open internally, but externally I get a port is closed message.
    I have even tried reinstalling pfSense several times thinking there might be something wrong with the installation.
    I have looked at the logs, but the port numbers are randomized I think.
    I am attaching a picture of a sample network diagram just to get you guys an idea of what I am dealing with.

    Please note that I have turned off UPNP, even with UPNP turned ON, it still does not work. The main reason for me to get pfSense is for security.

    Could you please guide me to fix this and help me understand where I am going wrong with this?













  • BTW, I have GPON fiber connection from both ISPs and they have a direct ethernet cable that is coming into my house.
    pfSense
    em0 - WAN 1 (PPPoE - ISP1) Dynamic Public IP
    em1 - WAN 2 (PPPoE - ISP2) Dynamic Private IP
    em2 - Home_LAN (10.xx.xx.1)
    em3 - OPT1 (unused and disabled)

    I have some sort of internal cabling done, which is not exactly an ideal one, but I am trying to manage the same cabling using 2 wireless access points and switch to provide connectivity in different parts of the house.

    Asus RT66UAC and D-Link are being used as access points now.

    Port forwarding used to work when I had the Asus RT66UAC as my router, so I know it is not an issue with my ISP1. DynDNS is currently monitoring the WAN 1 connection only as that is the only ISP that provides a public IP.


  • Banned


  • LAYER 8 Netgate

    Yup. That should be working. Check the settings (gateway, firewall, etc) on the target device. Use the list in that link.



  • I have used all the recommendations from https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

    Still doesn't work.

    The devices are pretty straightforward, I just have the option to input the IP, Port and gateway. The gateway on the devices are set to the pfSense IP. They do not have a firewall. It's an IP camera.

    Am I missing anything else??

    I am at the verge of throwing this and going back to using a consumer router again, but honestly I do not want to. This thing is great except the complexity in getting this right.

    The logs do not show any incoming connection with that specific port being used for forwarding. The incoming port on WAN may be randomized, I also tried setting it as a Static port, still no go.


  • LAYER 8 Netgate

    Port forwarding works fine.

    Honestly check (really check) everything on that list. It is almost certainly one of those things.

    Your screen shots indicate everything is set correctly on pfSense which leaves something off the firewall like the traffic never actually arriving on WAN or the traffic to the target device being filtered or its responses are being sent somewhere else.

    You are certain that all of those wireless routers are not actually acting as routers?

    How about redoing your diagram with the actual, inside IP addresses identified (there is little - if any - reason to hide those and it only hinders being able to help you). That will help determine if a mistake has been made there.


  • LAYER 8 Global Moderator

    "The logs do not show any incoming connection with that specific port being used for forwarding"

    Well then how could pfsense forward any traffic?  If you sniff on wan on port 8086 and your remote client tries to hit 8086 and you do not see this traffic then no it will never work..

    This is step in troubleshooting guide you said you went through.  So are you seeing this traffic or not?  If your not seeing it then pfsense can never forward.  If you see it, then sniff on your lan interface does pfsense send the traffic on to your .150 address?



  • @Derelict:

    Port forwarding works fine.

    Honestly check (really check) everything on that list. It is almost certainly one of those things.

    Your screen shots indicate everything is set correctly on pfSense which leaves something off the firewall like the traffic never actually arriving on WAN or the traffic to the target device being filtered or its responses are being sent somewhere else.

    You mean the firewall logs on the pfSense? Let me take a dig at it again. Will try and get you some screenshots. Maybe I am missing out some details there. There are quite a few blocked entries there, but none of them are related to the forwarded port numbers.

    Any tips on things I should really look out for??


  • LAYER 8 Global Moderator

    Your best bet is simple sniff on your pfsense wan to actually validate that your traffic is even getting to pfsense on 8086..

    Troubleshooting port forwarding should only take you a few minutes.

    Does the traffic get there, does pfsense send it on - does the client send an answer once you see pfsense send it on, etc.



  • @johnpoz:

    Your best bet is simple sniff on your pfsense wan to actually validate that your traffic is even getting to pfsense on 8086..

    Troubleshooting port forwarding should only take you a few minutes.

    Does the traffic get there, does pfsense send it on - does the client send an answer once you see pfsense send it on, etc.

    I will try that now. I really do not know how to do the port sniff, I will try and get some info around that.

    Meanwhile, I really want to thank you for helping me out in this. Appreciate it a lot fellas.



  • I really do not know how to do the port sniff, I will try and get some info around that.

    Diagnostics - Packet Capture



  • You were right, there is no traffic coming in to the WAN connection using that port. I scanned through each and every line item in the log.

    I used my cellphone Chrome browser:
    browsed to http://domain.dyndns.com:8086 - no incoming traffic using that port number
    browsed to http://mypublicIP:8086 - no incoming traffic

    I even tried with just WAN 1 (my primary ISP who provides a public IP), still no traffic coming in.

    I see some really random port numbers on some entries.
    23:24:54.032893 IP 100.xx.xxx.88.25933 > 151.xxx.xxx.xx6.20064: UDP, length 103

    Edit:
    I connected my old router back and it works fine on that. I am able to ping my public IP using both IP and DynDNS domain and able to get to my IP cameras.

    Something, some where is getting blocked.


  • LAYER 8 Global Moderator

    Yeah lots noise on the net..

    Pfsense can not forward what it does not see..

    A simple way to if traffic can get to your public IP on a tcp port is canyouseeme.org

    If your sending traffic to your IP and port and its not getting there, then something in front of pfsense is blocking it.  ISP?  ISP device in front of pfsense, etc.

    edit: if your changing the router connected I assume your getting a different public IP.. Maybe that port is blocked that IP, try changing mac on pfsense to mimic mac on your old router so you get the same IP, etc.

    But again pfsense can not forward what it does not see.

    You sure your not getting a nat reflection when you use the old router?  Ie your cellphone on your wireless network.. If your going to test with phones you need to validate they are non on your local wifi network.


  • LAYER 8 Netgate

    Diagnostics > Packet Capture on the appropriate WAN interface on port 8086.

    Try to connect

    Stop the capture

    If there is nothing there, the traffic isn't hitting WAN.

    If there is something, then packet capture on LAN

    If you see the traffic going out, the port forward is working. If there is no response, check that host.


  • Banned

    @tarunmurthy:

    I used my cellphone Chrome browser:

    Just to be sure: WLAN was off on the phone when you did the test?



  • @johnpoz:

    edit: if your changing the router connected I assume your getting a different public IP.. Maybe that port is blocked that IP, try changing mac on pfsense to mimic mac on your old router so you get the same IP, etc.

    The public IP changes when I reboot the router and a new connection is established. ISP 1 is providing a dynamic public IP, a reboot is needed. That is why I am using DynDNS service to sync my public IP with my domain.

    @johnpoz:

    You sure your not getting a nat reflection when you use the old router?  Ie your cellphone on your wireless network.. If your going to test with phones you need to validate they are non on your local wifi network.

    I am absolutely sure of using my cellphones 4G network. Wi-Fi is always OFF when I am testing this.

    @Derelict:

    Diagnostics > Packet Capture on the appropriate WAN interface on port 8086.

    Try to connect

    Stop the capture

    If there is nothing there, the traffic isn't hitting WAN.

    If there is something, then packet capture on LAN

    If you see the traffic going out, the port forward is working. If there is no response, check that host.

    Still no go, the traffic does not seem to be hitting the WAN IP address for some reason.

    @Grimson:

    Just to be sure: WLAN was off on the phone when you did the test?

    Yes absolutely, my cellphone is always on 4G network while testing.


  • LAYER 8 Global Moderator

    "the traffic does not seem to be hitting the WAN IP address for some reason."

    Then the block is upstream.. Pfsense can not forward what it does not see, end of story. Get with your ISP on why traffic on on port X does not get to you.


  • LAYER 8 Netgate

    And the firewall logs will not include passed traffic unless you explicitly tell that pass rule to log.

    You need to be looking exclusively at packet captures, pretty much.


Log in to reply