Can't get any ports to forward



  • Good day,

    Can't seem to get any port forwarding working on my new Netgate SG-1100. My best guess is that at some point during early setup, I ignorantly chose some overly paranoid option that I'm forgetting about and now overlooking. Been trying to keep it mostly default, though.

    To test, I'm using both https://www.grc.com/shieldsup, as well as nmap & ssh from a remote host. Have tried forwarding ports 22 (goal) and 123 (for idiot testing).

    I've read the official documentation on port forwarding, which hasn't revealed anything, as well as double checked my work against other tutorials & videos on port forwarding. All checks out and is why I'm pretty sure the issue lies outside of my firewall & NAT rules.

    I can confirm there is no ISP blocking at play. I ran a Packet Capture (under the Diagnostics menu on Pfsense) while trying to start an SSH session from the aforementioned remote host, and was able to see that expected packets are indeed hitting the firewall.

    Screenshots: https://imgur.com/a/A7ySUo7

    Physical topology: ISP Modem (single port, no wifi) connects to Netgate WAN port. I've put the OPT & LAN ports on the same VLAN. Server is on firewall's OPT port...

    Thank you for reading!



  • @statikregimen said in Can't get any ports to forward:

    ISP Modem

    Most likely the ISP modem isn't forwarding the traffic to the pfSense router. look for a setting in the ISP modem named DMZ or passthrough to have it forward all inbound connections.


  • LAYER 8 Netgate

    @statikregimen said in Can't get any ports to forward:

    I can confirm there is no ISP blocking at play. I ran a Packet Capture (under the Diagnostics menu on Pfsense) while trying to start an SSH session from the aforementioned remote host, and was able to see that expected packets are indeed hitting the firewall.

    Then move one hop inside and capture there to the target host and you will probably see that pfSense is, indeed, forwarding the traffic to the inside host as instructed but there is no response.

    After that check the firewall (think windows firewall) on the target host.



  • This post is deleted!


  • @Derelict I'm completely new to using packet capturing, but I will try to figure out how to "move one hop inside" as you suggest.

    I have already confirmed that the target host is accepting connections - works fine from my internal network, as well as the internet when I remove the firewall.

    Also, @teamits - I have already confirmed that packets are making it past my ISP modem, and the firewall does receive them.

    Thank you for the replies!


  • LAYER 8 Rebel Alliance



  • @Rico Thank you. Not sure how I missed this before now, but I will go over it and will report back.


  • LAYER 8 Netgate

    @statikregimen said in Can't get any ports to forward:

    I'm completely new to using packet capturing, but I will try to figure out how to "move one hop inside" as you suggest.

    It means capture on the LAN side looking for the forwarded packets going to the SSH server.



  • @Derelict Thank you. When I replied, I didn't have access to the device, but looking at it now, if I'm understanding everything correctly, I changed the Interface setting of the Pfsense Packet Capture from WAN to OPT, which is the the port the server is plugged into (as labeled on the device and afaik I have not changed the label anywhere in software). This yielded no traffic. However, when I check the LAN interface, I can see the expected traffic. So I guess that means it's making it past the firewall successfully but may or may not have a route to the right place.

    As I noted in my OP, I did move the OPT interface to be on the same VLAN as the LAN interface (so I can access the server by direct local IP from my internal network - works fine). I am in the process of double checking those settings. Also still going over the Troubleshooting guide linked above.


Log in to reply