Ports will not open



  • Never had trouble before opening ports.

    The only thing differant from normal is its on 10.0.1.10
    Everything else in the house is on 10.0.1 is this the problem

    ![2018-05-16 (1).png](/public/imported_attachments/1/2018-05-16 (1).png)
    ![2018-05-16 (1).png_thumb](/public/imported_attachments/1/2018-05-16 (1).png_thumb)



  • Are you having an actual problem or are you just wondering about the failed test in your torrent dealie?  If you're having real problems, check your firewall log to see if anything else is being blocked.  I must say that I've been running qbittorrent without needing any forwards and everything works fine.



  • Im just trying to open ports 60000-61000 on gateway 10.0.1.1 ip 10.0.1.10

    Ive looked in the logs not sure what im looking for/at?

    However in gateways im seening loads of these

    May 15 16:15:38 dpinger WAN_DHCP 86.*******: sendto error: 65

    Edit

    May 16 15:29:56 WAN Default deny rule IPv4 (1000000103)   81.~:52442   86.***:60000 TCP:S

    Guess its not open and its still blocking the ports



  • Post up a screen of your WAN firewall rules.  Maybe the NAT definition didn't autocreate the rule.


  • Netgate Administrator

    Yes, we can't see if you have the port forward set to add a firewall rule automatically.

    Also we can't see the title bar so can't see if there are any alerts shown. If there are and they are showing unable to load the v6 bogons table then you may not be loading the new rules because of it.
    See: https://forum.pfsense.org/index.php?topic=145990.0

    That should be fixed in 2.4.3_1 though.

    Steve



  • @KOM:

    Post up a screen of your WAN firewall rules.  Maybe the NAT definition didn't autocreate the rule.

    ive changed the ports to 40000-41000

    but here is the screenshot

    ![2018-05-16 (3).png](/public/imported_attachments/1/2018-05-16 (3).png)
    ![2018-05-16 (3).png_thumb](/public/imported_attachments/1/2018-05-16 (3).png_thumb)



  • @stephenw10:

    Yes, we can't see if you have the port forward set to add a firewall rule automatically.

    Also we can't see the title bar so can't see if there are any alerts shown. If there are and they are showing unable to load the v6 bogons table then you may not be loading the new rules because of it.
    See: https://forum.pfsense.org/index.php?topic=145990.0

    That should be fixed in 2.4.3_1 though.

    Steve

    Was already on 60000

    ![2018-05-16 (4).png](/public/imported_attachments/1/2018-05-16 (4).png)
    ![2018-05-16 (4).png_thumb](/public/imported_attachments/1/2018-05-16 (4).png_thumb)



  • Post your WAN firewall rules, not your NAT rules.  Firewall - Rules - WAN.



  • @KOM:

    Post your WAN firewall rules, not your NAT rules.  Firewall - Rules - WAN.

    Sorry

    ![2018-05-16 (7).png](/public/imported_attachments/1/2018-05-16 (7).png)
    ![2018-05-16 (7).png_thumb](/public/imported_attachments/1/2018-05-16 (7).png_thumb)



  • Looks good to me.

    Next guess, is your WAN on private network space, eg. 192.168.x.x?  If so, you must uncheck the Block private networks option on WAN or it will reject all RFC1918 traffic before it hits your NAT rule.



  • @KOM:

    Looks good to me.

    Next guess, is your WAN on private network space, eg. 192.168.x.x?  If so, you must uncheck the Block private networks option on WAN or it will reject all RFC1918 traffic before it hits your NAT rule.

    My wan come from my virgin media modem just gives me a an ip to pfsense is this what you mean KOM? it gives 82.x.x.x.



  • OK, that's not it.

    Post a screen of your firewall logs (with public details masked) that shows all activity during your test?  Do any other NATs work for you?


  • Netgate Administrator

    There is >1GB that's been passed by that rule. If it's not hitting the server that a lot of unanswered requests!

    You have changed from port 60000-61000 to 40000-41000, that's intentional?

    In the first screenshot your client is setup for only one incoming port, 60000, not a range. Has that changed?

    Block private networks will only ever block traffic sourced from a private network. Even if your WAN address is a provate IP (which it isn't) it will only block requests from other hosts in the WAN subnet, which could be legitimate.

    Steve



  • @KOM:

    OK, that's not it.

    Post a screen of your firewall logs (with public details masked) that shows all activity during your test?  Do any other NATs work for you?

    Think this is the correct log

    ![2018-05-16 (8).png](/public/imported_attachments/1/2018-05-16 (8).png)
    ![2018-05-16 (8).png_thumb](/public/imported_attachments/1/2018-05-16 (8).png_thumb)


  • Netgate Administrator

    Right, so your fiirewall rules are passing port 40000. But incoming traffic is on port 60000.

    Steve



  • @stephenw10:

    There is >1GB that's been passed by that rule. If it's not hitting the server that a lot of unanswered requests!

    What does that mean sorry?

    @stephenw10:

    You have changed from port 60000-61000 to 40000-41000, that's intentional?

    In the first screenshot your client is setup for only one incoming port, 60000, not a range. Has that changed?

    Yea it was on 40000-41000 a few days ago so I changed it back to what it was before
    @stephenw10:

    Block private networks will only ever block traffic sourced from a private network. Even if your WAN address is a provate IP (which it isn't) it will only block requests from other hosts in the WAN subnet, which could be legitimate.

    Steve

    I have no idea what that means Steve sorry im very new to all this and think im in way way to deep trying to get all this working



  • @stephenw10:

    Right, so your fiirewall rules are passing port 40000. But incoming traffic is on port 60000.

    Steve

    I think the 60000 is just because the torrents was running on that port and a few are still trying to connect.


  • Netgate Administrator

    On the WAN firewall rules page the 'States' column shows how much traffic has been passed by states opened by that rule. Yours shows the ~1GB has been passed so traffic is hitting that rule and being passed as expected.

    It looks like you changed the port forward back to 40000-41000 but the client is still sending port 60000 or other clients out there are still trying to access it on that port at least.

    You can leave the block private networks rule it's not causing a problem.

    So what exactly is not working right now?

    Steve



  • @stephenw10:

    On the WAN firewall rules page the 'States' column shows how much traffic has been passed by states opened by that rule. Yours shows the ~1GB has been passed so traffic is hitting that rule and being passed as expected.

    It looks like you changed the port forward back to 40000-41000 but the client is still sending port 60000 or other clients out there are still trying to access it on that port at least.

    You can leave the block private networks rule it's not causing a problem.

    So what exactly is not working right now?

    Steve

    whats not working? loads lol

    https://forum.pfsense.org/index.php?topic=146285.msg803597#msg803597
    https://forum.pfsense.org/index.php?topic=147982.0

    and posts 40000-41000 will not open

    They open fine on 10.0.0.1 but everything on this 10.0.1.1 is not working and nothing but trouble


  • Netgate Administrator

    Ok but what makes you think ports 40k-41k are not open?

    They look to be open to me.

    Steve



  • the test on deluge reports not open, never done that before.


  • Netgate Administrator

    For all 1000 ports? Can we see the result?

    Steve



  • @stephenw10:

    For all 1000 ports? Can we see the result?

    Steve

    All I see is the yellow ! and not a green dot Steve
    https://forum.pfsense.org/index.php?action=dlattach;topic=147958.0;attach=118139;image



  • @Darkvodka34:

    the test on deluge reports not open, never done that before.

    That test is probably crap, trying to connect to those ports via the LAN interface. You need to test from the WAN. Read here: https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting



  • @Grimson:

    @Darkvodka34:

    the test on deluge reports not open, never done that before.

    That test is probably crap, trying to connect to those ports via the LAN interface. You need to test from the WAN. Read here: https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

    I have read that page and done it before which works fine and deluge says it works fine. only thing new is this new gateway (10.0.1.1)
    If I add th server back on the default gateway 10.0.0.1 and just change the IP on the nat rule deluge passes it as worked and my speed goes up, I put it back on 10.0.1.1 and just the nat ip again fails and speed goes down.



  • @Darkvodka34:

    only thing new is this new gateway (10.0.1.1)

    New gateway? You mean an additional LAN network? I guess it's time you post screenshots from your complete interface and firewall setup.


  • Netgate Administrator

    Why are you forwarding 1000 ports but only have the torrent client listening on 1?

    And that screenshot still shows the wrong port for the current forwarded range. I assume you have updated that?

    Steve