Port forwarding stopped working



  • I've my portforwarding set up as always and it has been working for quite a long time. But yesterday it stopped working, I've already checked everything and the problem is definitly the pfsense system. I already went though the troubleshooting guide (https://www.netgate.com/docs/pfsense/nat/port-forward-troubleshooting.html) and Nat reflection is enabled. I will post a pic. of all configs and Packet Capture.

    Packet Capture on port 80 with my public IP as host:

    18:04:56.688659 IP 192.168.178.26.62774 > 217.226.185.179.80: tcp 0
    18:04:56.688884 IP 192.168.178.26.22130 > 217.226.185.179.80: tcp 0
    18:04:56.940353 IP 192.168.178.26.3410 > 217.226.185.179.80: tcp 0
    18:04:59.689031 IP 192.168.178.26.62774 > 217.226.185.179.80: tcp 0
    18:04:59.689881 IP 192.168.178.26.22130 > 217.226.185.179.80: tcp 0
    18:04:59.940878 IP 192.168.178.26.3410 > 217.226.185.179.80: tcp 0
    18:05:05.690637 IP 192.168.178.26.62774 > 217.226.185.179.80: tcp 0
    18:05:05.691508 IP 192.168.178.26.22130 > 217.226.185.179.80: tcp 0
    18:05:05.941865 IP 192.168.178.26.3410 > 217.226.185.179.80: tcp 0
    18:05:17.821561 IP 192.168.178.26.11430 > 217.226.185.179.80: tcp 0
    18:05:17.945772 IP 192.168.178.26.41257 > 217.226.185.179.80: tcp 0
    18:05:20.821952 IP 192.168.178.26.11430 > 217.226.185.179.80: tcp 0
    18:05:20.946620 IP 192.168.178.26.41257 > 217.226.185.179.80: tcp 0
    

    3_1537121116123_rulesNat.PNG 2_1537121116123_nat.PNG 1_1537121116123_ips.PNG 0_1537121116122_interfaces.PNG


  • LAYER 8 Netgate

    If that is all you are seeing, that is outbound traffic from your WAN address to 217.226.185.179:80 (probably connections from inside hosts after outbound NAT has been applied) and would have nothing to do with inbound traffic that might activate the port forward.

    If that is all the traffic that you are seeing, then I suspect point 5 under common problems here:

    https://www.netgate.com/docs/pfsense/nat/port-forward-troubleshooting.html

    Check (really actually check) everything there.



  • It's none of the Common Problems...


  • Banned

    The WAN IP is in private space and assigned via DHCP, so check your upstream device and make sure it's forwarding the ports to the correct IP. I highly doubt it's a pfSense issue, more likely PEBCAK or your ISP decided to block the ports.


  • LAYER 8 Netgate

    @mrgrimod said in Port forwarding stopped working:

    It's none of the Common Problems...

    If that is the only traffic you see and you never see any connection attempts inbound, there is nothing for pfSense to forward as outlined in the above post by @Grimson.

    (It's always one of the things listed in common problems)



  • The upstream device is a Fritzbox. The PFsense router is registred as exposed host but as you can see on the image, there are 0 ports opened.

    0_1537126237592_Unbenannt.PNG


  • LAYER 8 Netgate

    Then we'll need to see a packet capture on WAN that shows the connection attempts arriving. Then we can go from there.



  • 192.168.178.26 is the pfsense machine in the fritzbox network and 217.226.185.179 is public ISP IP.

    19:53:05.205450 IP 192.168.178.26.56150 > 217.226.185.179.80: tcp 0
    19:53:05.205455 IP 192.168.178.26.48573 > 217.226.185.179.80: tcp 0
    19:53:05.456390 IP 192.168.178.26.19109 > 217.226.185.179.80: tcp 0
    19:53:08.205171 IP 192.168.178.26.56150 > 217.226.185.179.80: tcp 0
    19:53:08.205173 IP 192.168.178.26.48573 > 217.226.185.179.80: tcp 0
    19:53:08.457638 IP 192.168.178.26.19109 > 217.226.185.179.80: tcp 0
    19:53:09.199222 IP 192.168.178.26.31156 > 93.184.220.29.80: tcp 0
    19:53:09.222688 IP 93.184.220.29.80 > 192.168.178.26.31156: tcp 0
    19:53:09.236064 IP 192.168.178.26.31156 > 93.184.220.29.80: tcp 0
    19:53:09.875613 IP 192.168.178.26.39928 > 52.22.66.41.80: tcp 371
    19:53:09.995460 IP 52.22.66.41.80 > 192.168.178.26.39928: tcp 140
    19:53:10.037012 IP 192.168.178.26.39928 > 52.22.66.41.80: tcp 0
    19:53:14.205318 IP 192.168.178.26.48573 > 217.226.185.179.80: tcp 0
    19:53:14.205320 IP 192.168.178.26.56150 > 217.226.185.179.80: tcp 0
    19:53:14.460160 IP 192.168.178.26.19109 > 217.226.185.179.80: tcp 0
    19:53:26.845657 IP 192.168.178.26.56136 > 192.168.178.1.80: tcp 1
    19:53:26.845969 IP 192.168.178.1.80 > 192.168.178.26.56136: tcp 0
    19:53:26.846657 IP 192.168.178.26.18481 > 192.168.178.1.80: tcp 1
    19:53:26.846968 IP 192.168.178.1.80 > 192.168.178.26.18481: tcp 0
    19:53:38.899873 IP 192.168.178.26.65211 > 192.168.178.1.80: tcp 1
    19:53:38.900188 IP 192.168.178.1.80 > 192.168.178.26.65211: tcp 0
    19:53:38.908871 IP 192.168.178.26.43649 > 192.168.178.1.80: tcp 1
    19:53:38.908873 IP 192.168.178.26.15656 > 192.168.178.1.80: tcp 1
    19:53:38.909182 IP 192.168.178.1.80 > 192.168.178.26.43649: tcp 0
    19:53:38.909306 IP 192.168.178.1.80 > 192.168.178.26.15656: tcp 0
    19:53:38.909872 IP 192.168.178.26.11147 > 192.168.178.1.80: tcp 1
    19:53:38.910181 IP 192.168.178.1.80 > 192.168.178.26.11147: tcp 0
    19:53:39.644712 IP 192.168.178.26.19131 > 23.59.69.2.80: tcp 0
    19:53:39.666361 IP 23.59.69.2.80 > 192.168.178.26.19131: tcp 0
    19:53:39.669551 IP 192.168.178.26.19131 > 23.59.69.2.80: tcp 0
    19:53:39.669553 IP 192.168.178.26.19131 > 23.59.69.2.80: tcp 338
    19:53:39.691494 IP 23.59.69.2.80 > 192.168.178.26.19131: tcp 0
    19:53:39.692075 IP 23.59.69.2.80 > 192.168.178.26.19131: tcp 381
    19:53:39.756985 IP 192.168.178.26.19131 > 23.59.69.2.80: tcp 0
    
    

  • LAYER 8 Netgate

    That is still showing zero traffic sourced from the internet to destination 192.168.178.26 TCP port 80, which would be the Pre-NAT destination address and port for inbound connections. Without that traffic arriving on WAN, there is nothing to forward.

    You would see something like this on WAN:

    19:53:09.199222 IP 93.184.234.213.31156 > 192.168.178.26.80: tcp 0
    

    It would look like this on LAN (after the port forward):

    19:53:09.199222 IP 93.184.234.213.31156 > 192.168.5.51.80: tcp 0
    

    Still leaves us at point 5 under common problems. Something upstream not sending the traffic to you.



  • Ok, I found the problem. It was the internet gateway or upstream(as you said). I reinstalled the OS and the exposed host function worked again. For some reason it still shows 0 opened port, but hey it works! Thanks for your quick and professional help!


Log in to reply