Port forward to UDP 10000 is NOT working
-
Assuming your IP address is indeed public.. Not 100.xx.xx.xx or any of the others... Your ISP can block stuff. Especially if you are a residential customer.. Look at your TOS. They probably say no servers.
Don't feel shy to ask them.
-
Yes I truly have a public IP: 62...* and this is a commercial ISP. When I signed the contract I gave them MY ToS saying I will be hosting servers. They even support me with my issues, for example in changing my reverse DNS and so on.
Reason I am arguing is that when I give command on Test Server:
nc -l 10000 -uAnd then from Prod machine (should have Internet access):
echo "123" | nc -u my.public.ip.address 10000I do get "123" displayed on my test server... so that means I can forward the port and it is working, listening and displaying everything.
So why it is not working only in pfsense packet capture box? And worst-case scenario, what will ISP block? A port right? Even if they block UDP port 10K, they cannot block port 80 and 443 on TCP... but I cannot see anything even for those ports?
Many Thanks,
Rav -
Well.. commercial so you should be open.
Ive never had issues with the packet capture page on both Fireflop and Chrome.. But that is the limit of my testing..
-
@raviktiwari
are you trying from a network behind the router itself? if yes do you have some form of NAT reflection enabled?
system > advanced ? firewall & nat > Network Address Translation section. -
@raviktiwari
All comes down to the way you define your rules: The wildcard to wildcard (all to all) rules should go into the floating rules as they should be applied to every network in your domain...Hope it helps
-
A part of the test pfSense :
The "10000" rule send over 1.16 Giga bytes.
The second rule shows a whopping 3 Gb being handled by this rule.All this traffic didn't made it into the "Jitsi" process, or it was on the LAN .... probably it hit the "wall" between it ; the OS firewall of the "Jitsi" server.
Byw : I'm not sure, but this does not look "ok" to me :
You have two identical rules that have a port "10000" as a source address..
What about change the range for the second rule : 10001 - 20000 ? -
Thanks everyone... I don't know how and why ut it seems to be working... trust me, I did not make any changes other than the testing that @johnpoz and @chpalmer asked me to do yesterday... yes, I did restart the server as there were some bionic security and kernel upgrade that was pushed on the server and a restart was needed at the end of the update.
I am going to take a backup of the configuration and keep it safe somewhere as this configuration issue has troubled be quite a few times and for a long time. So Thanks to everyone once again.
However, the other issue, which actually delayed the troubleshooting of this issue (Unable to see the packet capture in the box below) is still something that I would like to get resolved.
Many Thanks,
Rav -
Hi @taz3146
Yes I am trying from a network behind the router itself?I checked system > advanced ? firewall & nat > Network Address Translation section and it was set to disabled, because I thought I will never need it. However, I have now changed it to: Nat+proxy.
And I am still unable to see any packet captured details in the box below.
P.S: UDP port 10K has already started working without making this NAT reflection changes. Do you still want me to make this change - I mean for the data capture box to display me the content?@Gertjan, that is in the plan, I wanted to get 10K work first and then change the other one from 10K1-20K now that it is working, I plan to make that changes.
Thanks for your time, help and support.
Thx: Rav
-
If you can not see traffic in diag.. Yeah you have an issue there..
As to firewall&nat set to disabled? What did you change?
NAT Reflection mode for port forwards?
You have zero use for that unless your actually doing the abomination that is nat reflection.. Which your port forwards would have zero to do with..
As to your sniffing - you sure your sniffing on the correct interface?
So from ssh, just do a tcpdump... Do you see flow of traffic?
-
Hey @johnpoz thanks again for your time and support.
I agree...I don't need to enable Nat reflection in advance but because someone suggested it to try so I gave it a go, which made no difference, so I can now revert it back to disabled.
I understand it gives me some benefit to run everything from behind the same firewall but I never had any requirement or issues anyways, so I probably don't need it anyways.
BTW, what do you mean by "If you can not see traffic in diag.." What is diag? Is it Packet Capture under Diagnostic mode? I know everything is working but the packet capture information is not being displayed in the box below. And that is what I want to get resolved.
I think I am sniffing right interface, but I am more than happy to be corrected. So how do I ensure that I am sniffing the correct interface? Can you give me some commands of path to menu which I need to click to ensure I am doing it right?
And yes, from ssh, doing a tcpdump on my network card gives loads of traffic flow - so much so that I had to stop it as it seemed it is never going to stop. :-)
As usual amny help/support/pointers is highly appreciated.
Many Thanks,
Rav -
Well what settings did you do on the diag, packet capture menu.. You have to make sure you select the correct interface for stuff to show up.. I have never seen such an issue..
I would validate by doing a sniff for what your wanting to see via tcpdump say your 10k port on your "wan" interface that your selection in the diag, packet capture.. Do you see it there, and then setting the same filtering on the gui packet capture you not seeing anything come up??
Is this traffic coming in via a vlan? Or a PPPoE connection? That might give you some issues with not seeing traffic in the packet capture screen
-
@johnpoz apologies for the delayed response...
As far as settings are concerned, I have not made any changes and it is pretty standard stuff... you can see the SS for more details and if you see something silly, please do not hesitate to correct me.
This test was done from a laptop behind the production server trying to capture UDP port 10K on Test server as well as on Prod Server (both of them have got different public IP). I even tried capturing the LAN port (changed the interface to LAN and Host address to 192.168 IP) - but same result, no result in the box below. It says packet capture is running, then I stop it and there is nothing in the box, even when I click on View capture, there is nothing.
However, I have just realised an interesting thing:
Just did a test on WAN and Opt1 interface, with respective IP for TCP port 443 and now I can see information in the box below.
Also, it works only for the IP that I am behind.. so from a laptop behind Prod IP, I can not capture packets (or see any information) for Test IP address - which probably makes sense.For connectivity point of view, my WAN connection is via cable broadband (Virgin Media Fibre Optic), which terminates on ISP Router (now running as Modem because I have taken 3 static IP addresses). From there it comes into my pfSense and then from pSense LAN and Opt1 port goes to office network and server network respectively.
issues with not seeing traffic in the packet capture screenSo now the question is: why UDP ports are not being captured or displayed?
As always, any help/support/suggestion/pointers are highly appreciated.
Many Thanks,
Rav -
@raviktiwari said in Port forward to UDP 10000 is NOT working:
So now the question is: why UDP ports are not being captured or displayed?
Because pfsense is not seeing them.. If it sees tcp, it would see UDP as well..
If your not getting them to your WAN... Then it can not forward them.. Quite possible they are blocked UPSTREAM of pfsense... If your not seeing them via your capture, then pfsense is not seeing them.
-
It makes Sense now : the pfSEnse setup may be identical, the upstream router isn't.
It's this ISP (?) router that has to forward the UDP ports also. -
@johnpoz but pfSense is forwarding now and I am able to get the job done... if you look at my previous post, I said, "It is working now.... Now the forwarding is not an issue... Issue is: why I am not getting any details in the box below for UDP Port 10K?
Not sure if this is a tricky or stupid situation... Because when you did the same thing, you could see the data being populated in the box below (as per your ss)... so why I cannot?
Maybe pfSense does not like me... :-(
Many Thanks,
Rav -
Dude pfsense has no clue who you are or who I am - its some software that runs on some hardware - its sees traffic or it doesn't... If you say its working then clearly is seeing traffic that it can forward per your settings.
My point is if your not seeing that traffic on your wan, then its not there...If your saying its working but your not seeing it then your looking in the wrong place.
-
Hi @johnpoz I agree with you that pfsense does not care whether it is you or me doing the testing. But we have an issue here... right? So looks like pfsense DOES care who is doing the task. :-)
If I am looking at the wrong place, I want to be corrected. I have shared the screenshot, pls let me know what else I can do.
And to top it up, I am back at square one with the port forwarding as well.
I had to format my test server, build it up with same IP address, did not touch the pfsense at all... and now again UDP port 10K is not working... I can see the traffic moving fine at WAN level, but then from there, it does not reach the Test server.
On Test Server I type:
sudo service jitsi-videobridge2 stop
nc -l 10000 -uAnd then from Prod machine (which has got Internet access):
echo "123" | nc -u my.public.ip.address 10000This should display 123 on the Test machine. I had an issue when I started this thread and it finally worked... but now again it is not working. This is still working on Prod Server... and I get 123 on Test Server...
As I said, I have not made any changes on the pfsense (neither on Test nor on Prod), so why it has died again?
Any idea/suggestion?
Many Thanks,
Rav -
Ok... So I think I have found the root cause of the issue, but I still don't know the resolution.
I connected my laptop on Test network and using firefox and chrome, I was able to capture packets and everything was displayed in the box below (I still don't know why and how it is capturing, whatever it is capturing, but that is for some other day).
However, when I connected the same laptop on Prod network, using the same browser the box below goes blank. So this means it is not the laptop or browser setting... it is something with the network or pfsense configuration that is blocking the data to be displayed/popped up in the box below.
Does that make sense? Does that ring any bell to anyone, as in what changes should I make in the Prod environment, so that when I do a packet capture, I can see what I am supposed to see.
Many Thanks,
Rav -
@raviktiwari said in Port forward to UDP 10000 is NOT working:
echo "123" | nc -u my.public.ip.address 10000
Where is this machine - your wanting to use NAT reflection for this to work?
-
I am stopping the service on Test Server and then listening on UDP port 10000 - using following commands:
sudo service jitsi-videobridge2 stop
nc -l 10000 -uAfter this, the cursor is waiting to listen and then on Prod Server, I enter the command
echo "123" | nc -u my.public.ip.address 10000This shows 123 on the Test server.
Both these Servers are on 2 different public IP behind 2 different pfSense.
I think I need NAT reflection but not sure where to make the appropriate changes.
I am also having another issue with NAT Reflection - few of the websites that I have a built-in Test environment, I cannot access it from within Test environment. However, it is accessible from the Prod environment and the outside world.
Again this means that I need NAT reflection but not sure where to make the appropriate changes. :-(
Thx: Rav
