Port forward to UDP 10000 is NOT working
-
@johnpoz apologies for the delayed response...
As far as settings are concerned, I have not made any changes and it is pretty standard stuff... you can see the SS for more details and if you see something silly, please do not hesitate to correct me.
This test was done from a laptop behind the production server trying to capture UDP port 10K on Test server as well as on Prod Server (both of them have got different public IP). I even tried capturing the LAN port (changed the interface to LAN and Host address to 192.168 IP) - but same result, no result in the box below. It says packet capture is running, then I stop it and there is nothing in the box, even when I click on View capture, there is nothing.
However, I have just realised an interesting thing:
Just did a test on WAN and Opt1 interface, with respective IP for TCP port 443 and now I can see information in the box below.
Also, it works only for the IP that I am behind.. so from a laptop behind Prod IP, I can not capture packets (or see any information) for Test IP address - which probably makes sense.For connectivity point of view, my WAN connection is via cable broadband (Virgin Media Fibre Optic), which terminates on ISP Router (now running as Modem because I have taken 3 static IP addresses). From there it comes into my pfSense and then from pSense LAN and Opt1 port goes to office network and server network respectively.
issues with not seeing traffic in the packet capture screenSo now the question is: why UDP ports are not being captured or displayed?
As always, any help/support/suggestion/pointers are highly appreciated.
Many Thanks,
Rav -
@raviktiwari said in Port forward to UDP 10000 is NOT working:
So now the question is: why UDP ports are not being captured or displayed?
Because pfsense is not seeing them.. If it sees tcp, it would see UDP as well..
If your not getting them to your WAN... Then it can not forward them.. Quite possible they are blocked UPSTREAM of pfsense... If your not seeing them via your capture, then pfsense is not seeing them.
-
It makes Sense now : the pfSEnse setup may be identical, the upstream router isn't.
It's this ISP (?) router that has to forward the UDP ports also. -
@johnpoz but pfSense is forwarding now and I am able to get the job done... if you look at my previous post, I said, "It is working now.... Now the forwarding is not an issue... Issue is: why I am not getting any details in the box below for UDP Port 10K?
Not sure if this is a tricky or stupid situation... Because when you did the same thing, you could see the data being populated in the box below (as per your ss)... so why I cannot?
Maybe pfSense does not like me... :-(
Many Thanks,
Rav -
Dude pfsense has no clue who you are or who I am - its some software that runs on some hardware - its sees traffic or it doesn't... If you say its working then clearly is seeing traffic that it can forward per your settings.
My point is if your not seeing that traffic on your wan, then its not there...If your saying its working but your not seeing it then your looking in the wrong place.
-
Hi @johnpoz I agree with you that pfsense does not care whether it is you or me doing the testing. But we have an issue here... right? So looks like pfsense DOES care who is doing the task. :-)
If I am looking at the wrong place, I want to be corrected. I have shared the screenshot, pls let me know what else I can do.
And to top it up, I am back at square one with the port forwarding as well.
I had to format my test server, build it up with same IP address, did not touch the pfsense at all... and now again UDP port 10K is not working... I can see the traffic moving fine at WAN level, but then from there, it does not reach the Test server.
On Test Server I type:
sudo service jitsi-videobridge2 stop
nc -l 10000 -uAnd then from Prod machine (which has got Internet access):
echo "123" | nc -u my.public.ip.address 10000This should display 123 on the Test machine. I had an issue when I started this thread and it finally worked... but now again it is not working. This is still working on Prod Server... and I get 123 on Test Server...
As I said, I have not made any changes on the pfsense (neither on Test nor on Prod), so why it has died again?
Any idea/suggestion?
Many Thanks,
Rav -
Ok... So I think I have found the root cause of the issue, but I still don't know the resolution.
I connected my laptop on Test network and using firefox and chrome, I was able to capture packets and everything was displayed in the box below (I still don't know why and how it is capturing, whatever it is capturing, but that is for some other day).
However, when I connected the same laptop on Prod network, using the same browser the box below goes blank. So this means it is not the laptop or browser setting... it is something with the network or pfsense configuration that is blocking the data to be displayed/popped up in the box below.
Does that make sense? Does that ring any bell to anyone, as in what changes should I make in the Prod environment, so that when I do a packet capture, I can see what I am supposed to see.
Many Thanks,
Rav -
@raviktiwari said in Port forward to UDP 10000 is NOT working:
echo "123" | nc -u my.public.ip.address 10000
Where is this machine - your wanting to use NAT reflection for this to work?
-
I am stopping the service on Test Server and then listening on UDP port 10000 - using following commands:
sudo service jitsi-videobridge2 stop
nc -l 10000 -uAfter this, the cursor is waiting to listen and then on Prod Server, I enter the command
echo "123" | nc -u my.public.ip.address 10000This shows 123 on the Test server.
Both these Servers are on 2 different public IP behind 2 different pfSense.
I think I need NAT reflection but not sure where to make the appropriate changes.
I am also having another issue with NAT Reflection - few of the websites that I have a built-in Test environment, I cannot access it from within Test environment. However, it is accessible from the Prod environment and the outside world.
Again this means that I need NAT reflection but not sure where to make the appropriate changes. :-(
Thx: Rav
-
If your client is behind a different pfsense than where your server is then no you wouldn't use nat reflection.
Again where have you shown that this traffic actually hits pfsense wan?
Last I recall you were not seeing this traffic when you did a sniff.. I gave you a site that will send UDP traffic.. Use it.. sniff on your wan.. Do you see it?? If not then no its never ever ever ever going to work!! Period!
-
Sorry if I have not been clear enough but the setup is pretty simple.
I have 2 network - Test and Prod... both of them have different IP, both came from same ISP broadband modem but one goes in Prod pfSense and another goes in Test pfsense and then from there are managed as a different network. I have attached a diagram - hope it makes it easy to understand.
Now I want port 10K on UDP to be open on 2 Test Servers and 1 Prod Servers. To ensure it is working, I have been told to use those commands that I shared above. So I make Test server listen and then I send the message using echo to Prod server, which does not reach, but the other way around is working and so my application is working on Prod but not on Test. I need it to work on Test so that I can do further development and testing.
So this is my 1st issue - port 10K on UDP not working in Test Environment.
Yes, I used your tool (ipvoid) and it shows WAN port is listening on UDP 10K - I have attached the screenshot in my previous message. But yes I am not able to see any traffic on within pfsense because that box is not displaying anything - especially on production pfsense (because it is connected on Prod environment). However, when I do the same thing on the Test environment using test pfsense I can see the traffic flowing when I sniff it.
This is my 2nd issue - why I am unable to see sniffing details in the production environment.
And the 3rd issue is:
Why few of my websites hosted in test environment are NOT accessible from within the Test environment but it can be accessed without any issue on Prod as well as anywhere else in the world.
Hope this clarifies the situation and thanks once again to be there to support, I sincerely appreciate it.
Many Thanks,
Rav -
Step 1... Sniff on wan of pfsense that holds the IP your trying to send data too... Go to say the site I linked to and send UDP traffic. If you do not not see it in the sniff.. Pfsense can not forward anything.. Period!!
Untill you show us this sniff, there is nothing anyone can help you with..
This is my 2nd issue - why I am unable to see sniffing details in the production environment.
Because the data isn't get there is the most logical answer to that..
-
Hey @johnpoz I have no doubt whatsoever that you know more than me and so I dont want to sound argumentative or disrespectful, but pls try to understand the situation.
Going by your requirements:
1.> ipvoid says packet is flowing without any issue - PFA screenshot.
I hope this answers your 1st question. While my 1st issue is still at hand why my application is not able to use UDP10K - why the port is not working?
Coming to 2nd question...
Here the issue completely different - we know all data is flowing fine, I can also get messages using those commands and I can also access my application. So technically there is no issue at all and we should not be discussing about it... but the problem here is, when I sniff and use pfsense inbuilt tool "packet capture", I cannot see anything in the box below.And this is not because there is no traffic... we know everything is working fine...We also know this is not a laptop or browser issue because when I connect the same laptop and use the same browser in test environment, the same box shows all the details - for both Test and Prod public IP.
This means ( atleast in my brain - that there is some configuration that I have done within pfsense for Prod environment that is not letting that box fill up with relevant information/traffic).
And this is my 2nd issue.
For the time being, let's leave the 2nd issue we can discuss it once we have sorted these 2 open issues.
Many Thanks,
Rav -
This post is deleted! -
You need to show a sniff! where the traffic actually gets there..
If you can not see it, either can pfsense.. Do a simple tcpdump on pfsense for port udp 1000.. if your having issues with the gui.
-
Hmm.... So where and how do I do that? Which tool do I use?
-
Already went over this.. Dude I really want to help you... But this is getting more frustrating for me, than I really want to deal with... Troubleshooting port forwarding is 2 minute thing.
-
I agree @johnpoz it is more frustrating for me... because it is working in 2 out of 3 place... so the issue is why it is not working on 3rd place
And then the 2nd issue is: why I am not able to see the packet capture box pop up with traffic details.
Apologies if I am not getting you, but you asked me to use ipvpoid and pfsense packet capture tool and I have used both and shared screenshot for both. Not sure what else you need for me... I want to work with you, take your instruction and get it resolved. But unless I am clear with what yoiu want me to do, how can we close the feedback loop?
Many Thanks,
Rav -
here
Took all of 30 seconds to test
https://www.ipvoid.com/udp-port-scan/
do that for your interface on pfsense that is your wan. Mine was igb1, yours is I don't know.
-
Ok here you go...
Just realised it is showing wrong ip... the server ip should be: 192.168.14.22, not sure why it is showing: 192.168.14.18
I have already posted the ss for ipvoid couple of time.
Hope this helps.
Many Thanks,
Rav
