Port Forwarding not working?!



  • Hello Community,

    I have recently installed the latest version of pfSense today and it's been working fine up until i have wanted to port-forward some of my server. I tried port forwarding my web-servers ports which were 80 and 443 using this guide: (https://www.youtube.com/watch?v=3-DU47zDrQk) however i had no luck instead to sent me to the pfSense router login page but i managed to stop it from doing that by changing the default WebUI port but not when i try to visit my web-server via my public ip it still does not work. So i decided to try and port forward my Minecraft server using the following settings: (https://gyazo.com/1e1b6905f4dc6385ff94de31b752c2a6) (https://gyazo.com/1201a4a9105ef35623a7e11b99d293e4) and then i tried putting my public ip into minecraft and tried to connect and still nothing happened, all my port forwarding worked fine before on my old router and now i have my Virgin Superhub 2 acting in modem mode then the pfSense firewall and still nothing. Can anyone give me advise?

    Thanks.



  • RTFM: https://www.netgate.com/docs/pfsense/nat/port-forward-troubleshooting.html instead of following some random "guide" on the net.



  • In a nutshell, if you want traffic to come in from the internet, you generally have to make a NAT rule and an associated firewall rule. The cool thing with pfsense is that starting a new NAT rule auto-creates a corresponding firewall rule, if you pick the correct settings.

    So, here's how to do it:

    1. Start in the NAT tab, under Firewall.
    2. Make sure you're on the Port Forward tab, then click the add button You can add it to the top of the list, or the bottom of the list. I don't think it matters.
    3. In the new port forward edit screen, pick interface = WAN
    4. Leave the Source alone for now.
    5. Destination should be = WAN Address, port range from 25565 to 25565
    6. Redirect IP = the IP address of your internal server
    7. Redirect target port = 25565

    Give it a name in the description box, and make sure "add associated filter rule" is selected in the drop down menu at the very bottom.

    That's it. Save all of that by clicking the blue button and go check in the Firewall rules section, under the WAN tab, and make sure that the new "associated" rule is in there. Like I said, it auto-creates those.

    Now, go check to see if you can hit the server from OUTSIDE your LAN network. If not, there might be some tweaking to do on the client and the server, like manually telling each which port to use, or opening up the server's own firewall rules (Windows) to pass traffic.

    Jeff



  • @akuma1x Thank you i have managed to connect to the server from outside the network. How can i go about connecting to the server via the external IP inside the network?



  • @connor234 said in Port Forwarding not working?!:

    How can i go about connecting to the server via the external IP inside the network

    System/Advanced/Firewall & NAT, ensure NAT reflection is enabled.



  • @teamits Thanks for the reply, that worked perfectly :)



  • Also i'm having trouble with port forwarding my web-server i have copied the same rule for the Minecraft Server and changed the ports to 80 and repeated that and set the port to 443 as well but i cant access the website outside the network, However when i'm inside the network i can connect to the webserver using the external IP but outside the network i can't?. I have disabled the firewall on the web-server and this used to work on my old router?



  • @connor234 said in Port Forwarding not working?!:

    Also i'm having trouble with port forwarding my web-server i have copied the same rule for the Minecraft Server and changed the ports to 80 and repeated that and set the port to 443 as well but i cant access the website outside the network.

    My guess would be that the firewall rule for this new NAT instance wasn't created correctly.

    I have the best luck just starting from scratch when making any NAT entries. It isn't that bad, 5 steps and they're done.

    Jeff



  • @akuma1x Okay i will try that now, btw i have updated that post with more information about the issue.



  • I have checked the "Disable webConfigurator redirect rule" but when i connect to my public ip it just redirects to be to the pfSense webUI port which is 9999 and i can't get to my webserver because of this?



  • This is what I did to get a "web server" working behind my pfsense firewall:

    Give the web server, on the box that is actually the server, a different port number besides 80 or 443. I assigned mine port 8091.

    In pfsense, make a port forward, destination is wan address, port range is from XXXX to XXXX, redirect target IP is your web server, and the redirect port is XXXX. Let it auto-create the firewall rule, then save the settings.

    It should be as simple as that. I don't know if you have to turn down any web server firewall rules to make it respond from outside it's local network. I didn't have to do any of that on mine. When an outside "visitor" wants to connect to this web server, they have to simply add the port number to the end of the URL.

    Jeff



  • @connor234 said in Port Forwarding not working?!:

    I have checked the "Disable webConfigurator redirect rule" but when i connect to my public ip it just redirects to be to the pfSense webUI port which is 9999 and i can't get to my webserver because of this?

    I'm working on something else but if you used to have a redirect and now don't the browser may be caching the redirect especially if it was marked as permanent/301. Empty browser cache or try a different browser.



  • @akuma1x Unfortunately i don't want to have to do this as i i know when certain people visit my site all the ports are blocked on their network and only port 80 and 443 work for them and it would incontinent for them.



  • @teamits I thought this might this issue already so i whipped my browsing data and cache and even used a different device and did the same which is on a complete other network and i still couldn't access the site. When i am connected to the current network i can connect to the Web-Server via the internal IP of the server and i can also connect to the web-server via the public IP when i'm the network but i go on my other device connect to another network i cant connect via the public IP? I am really pulling my hair out over this right now :)



  • @connor234 Then what I think you need to do is change the port for the web configurator so it doesn't answer on ports 80 and 443.

    It's under System -> Advanced -> Admin Access -> TCP Port

    Change the port number to something else, but make sure it isn't a port used for any other services you've got running...

    Jeff



  • @akuma1x I have already done this i also checed the redirect box to stop it trying to forward to pfsense.



  • @connor234
    Maybe post a screen cap of your WAN rules and NAT forwards? I've never had an issue forwarding either 80 or 443 on the WAN to an internal IP. Most often we use split DNS and create a hostname on the pfSense or internal DNS to point to the private IP, but that's a different issue and not relevant to your WAN port forward.



  • @teamits
    WAN Rules: https://gyazo.com/c19bd001d75feaee69eb79996b53c260
    NAT Forwards: https://gyazo.com/f6bf431cc349344f999e4d900b034fab

    The Minecraft Server port forward works perfect i can connect to the mc server on my network via my public ip and other people can join it works fine but my web-server is just a no go.



  • If you've already tried deleting and recreating them as suggested, then my next guess is a firewall or something on the web server is not allowing access from Internet IPs. Is there a firewall on the web server that can be logged and/or disabled?

    Perhaps check the box in pfSense's firewall logs to log all packets matching the default block rule and verify it is actually being blocked at the pfSense?



  • @teamits All of the firewall features have been disabled and i will check the logs shortly.



  • Hi Everyone, thank you for all of your advise i have managed to fix the issue by resetting the firewall and the web-server.


Log in to reply