Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port forwarding stopped working

    Scheduled Pinned Locked Moved NAT
    10 Posts 3 Posters 929 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      MrGrimod
      last edited by

      I've my portforwarding set up as always and it has been working for quite a long time. But yesterday it stopped working, I've already checked everything and the problem is definitly the pfsense system. I already went though the troubleshooting guide (https://www.netgate.com/docs/pfsense/nat/port-forward-troubleshooting.html) and Nat reflection is enabled. I will post a pic. of all configs and Packet Capture.

      Packet Capture on port 80 with my public IP as host:

      18:04:56.688659 IP 192.168.178.26.62774 > 217.226.185.179.80: tcp 0
      18:04:56.688884 IP 192.168.178.26.22130 > 217.226.185.179.80: tcp 0
      18:04:56.940353 IP 192.168.178.26.3410 > 217.226.185.179.80: tcp 0
      18:04:59.689031 IP 192.168.178.26.62774 > 217.226.185.179.80: tcp 0
      18:04:59.689881 IP 192.168.178.26.22130 > 217.226.185.179.80: tcp 0
      18:04:59.940878 IP 192.168.178.26.3410 > 217.226.185.179.80: tcp 0
      18:05:05.690637 IP 192.168.178.26.62774 > 217.226.185.179.80: tcp 0
      18:05:05.691508 IP 192.168.178.26.22130 > 217.226.185.179.80: tcp 0
      18:05:05.941865 IP 192.168.178.26.3410 > 217.226.185.179.80: tcp 0
      18:05:17.821561 IP 192.168.178.26.11430 > 217.226.185.179.80: tcp 0
      18:05:17.945772 IP 192.168.178.26.41257 > 217.226.185.179.80: tcp 0
      18:05:20.821952 IP 192.168.178.26.11430 > 217.226.185.179.80: tcp 0
      18:05:20.946620 IP 192.168.178.26.41257 > 217.226.185.179.80: tcp 0
      

      3_1537121116123_rulesNat.PNG 2_1537121116123_nat.PNG 1_1537121116123_ips.PNG 0_1537121116122_interfaces.PNG

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        If that is all you are seeing, that is outbound traffic from your WAN address to 217.226.185.179:80 (probably connections from inside hosts after outbound NAT has been applied) and would have nothing to do with inbound traffic that might activate the port forward.

        If that is all the traffic that you are seeing, then I suspect point 5 under common problems here:

        https://www.netgate.com/docs/pfsense/nat/port-forward-troubleshooting.html

        Check (really actually check) everything there.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • M
          MrGrimod
          last edited by

          It's none of the Common Problems...

          DerelictD 1 Reply Last reply Reply Quote 0
          • GrimsonG
            Grimson Banned
            last edited by

            The WAN IP is in private space and assigned via DHCP, so check your upstream device and make sure it's forwarding the ports to the correct IP. I highly doubt it's a pfSense issue, more likely PEBCAK or your ISP decided to block the ports.

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate @MrGrimod
              last edited by Derelict

              @mrgrimod said in Port forwarding stopped working:

              It's none of the Common Problems...

              If that is the only traffic you see and you never see any connection attempts inbound, there is nothing for pfSense to forward as outlined in the above post by @Grimson.

              (It's always one of the things listed in common problems)

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • M
                MrGrimod
                last edited by

                The upstream device is a Fritzbox. The PFsense router is registred as exposed host but as you can see on the image, there are 0 ports opened.

                0_1537126237592_Unbenannt.PNG

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  Then we'll need to see a packet capture on WAN that shows the connection attempts arriving. Then we can go from there.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 1
                  • M
                    MrGrimod
                    last edited by

                    192.168.178.26 is the pfsense machine in the fritzbox network and 217.226.185.179 is public ISP IP.

                    19:53:05.205450 IP 192.168.178.26.56150 > 217.226.185.179.80: tcp 0
                    19:53:05.205455 IP 192.168.178.26.48573 > 217.226.185.179.80: tcp 0
                    19:53:05.456390 IP 192.168.178.26.19109 > 217.226.185.179.80: tcp 0
                    19:53:08.205171 IP 192.168.178.26.56150 > 217.226.185.179.80: tcp 0
                    19:53:08.205173 IP 192.168.178.26.48573 > 217.226.185.179.80: tcp 0
                    19:53:08.457638 IP 192.168.178.26.19109 > 217.226.185.179.80: tcp 0
                    19:53:09.199222 IP 192.168.178.26.31156 > 93.184.220.29.80: tcp 0
                    19:53:09.222688 IP 93.184.220.29.80 > 192.168.178.26.31156: tcp 0
                    19:53:09.236064 IP 192.168.178.26.31156 > 93.184.220.29.80: tcp 0
                    19:53:09.875613 IP 192.168.178.26.39928 > 52.22.66.41.80: tcp 371
                    19:53:09.995460 IP 52.22.66.41.80 > 192.168.178.26.39928: tcp 140
                    19:53:10.037012 IP 192.168.178.26.39928 > 52.22.66.41.80: tcp 0
                    19:53:14.205318 IP 192.168.178.26.48573 > 217.226.185.179.80: tcp 0
                    19:53:14.205320 IP 192.168.178.26.56150 > 217.226.185.179.80: tcp 0
                    19:53:14.460160 IP 192.168.178.26.19109 > 217.226.185.179.80: tcp 0
                    19:53:26.845657 IP 192.168.178.26.56136 > 192.168.178.1.80: tcp 1
                    19:53:26.845969 IP 192.168.178.1.80 > 192.168.178.26.56136: tcp 0
                    19:53:26.846657 IP 192.168.178.26.18481 > 192.168.178.1.80: tcp 1
                    19:53:26.846968 IP 192.168.178.1.80 > 192.168.178.26.18481: tcp 0
                    19:53:38.899873 IP 192.168.178.26.65211 > 192.168.178.1.80: tcp 1
                    19:53:38.900188 IP 192.168.178.1.80 > 192.168.178.26.65211: tcp 0
                    19:53:38.908871 IP 192.168.178.26.43649 > 192.168.178.1.80: tcp 1
                    19:53:38.908873 IP 192.168.178.26.15656 > 192.168.178.1.80: tcp 1
                    19:53:38.909182 IP 192.168.178.1.80 > 192.168.178.26.43649: tcp 0
                    19:53:38.909306 IP 192.168.178.1.80 > 192.168.178.26.15656: tcp 0
                    19:53:38.909872 IP 192.168.178.26.11147 > 192.168.178.1.80: tcp 1
                    19:53:38.910181 IP 192.168.178.1.80 > 192.168.178.26.11147: tcp 0
                    19:53:39.644712 IP 192.168.178.26.19131 > 23.59.69.2.80: tcp 0
                    19:53:39.666361 IP 23.59.69.2.80 > 192.168.178.26.19131: tcp 0
                    19:53:39.669551 IP 192.168.178.26.19131 > 23.59.69.2.80: tcp 0
                    19:53:39.669553 IP 192.168.178.26.19131 > 23.59.69.2.80: tcp 338
                    19:53:39.691494 IP 23.59.69.2.80 > 192.168.178.26.19131: tcp 0
                    19:53:39.692075 IP 23.59.69.2.80 > 192.168.178.26.19131: tcp 381
                    19:53:39.756985 IP 192.168.178.26.19131 > 23.59.69.2.80: tcp 0
                    
                    
                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by Derelict

                      That is still showing zero traffic sourced from the internet to destination 192.168.178.26 TCP port 80, which would be the Pre-NAT destination address and port for inbound connections. Without that traffic arriving on WAN, there is nothing to forward.

                      You would see something like this on WAN:

                      19:53:09.199222 IP 93.184.234.213.31156 > 192.168.178.26.80: tcp 0
                      

                      It would look like this on LAN (after the port forward):

                      19:53:09.199222 IP 93.184.234.213.31156 > 192.168.5.51.80: tcp 0
                      

                      Still leaves us at point 5 under common problems. Something upstream not sending the traffic to you.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • M
                        MrGrimod
                        last edited by MrGrimod

                        Ok, I found the problem. It was the internet gateway or upstream(as you said). I reinstalled the OS and the exposed host function worked again. For some reason it still shows 0 opened port, but hey it works! Thanks for your quick and professional help!

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.