Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't get any ports to forward

    Scheduled Pinned Locked Moved NAT
    9 Posts 4 Posters 722 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      statikregimen
      last edited by

      Good day,

      Can't seem to get any port forwarding working on my new Netgate SG-1100. My best guess is that at some point during early setup, I ignorantly chose some overly paranoid option that I'm forgetting about and now overlooking. Been trying to keep it mostly default, though.

      To test, I'm using both https://www.grc.com/shieldsup, as well as nmap & ssh from a remote host. Have tried forwarding ports 22 (goal) and 123 (for idiot testing).

      I've read the official documentation on port forwarding, which hasn't revealed anything, as well as double checked my work against other tutorials & videos on port forwarding. All checks out and is why I'm pretty sure the issue lies outside of my firewall & NAT rules.

      I can confirm there is no ISP blocking at play. I ran a Packet Capture (under the Diagnostics menu on Pfsense) while trying to start an SSH session from the aforementioned remote host, and was able to see that expected packets are indeed hitting the firewall.

      Screenshots: https://imgur.com/a/A7ySUo7

      Physical topology: ISP Modem (single port, no wifi) connects to Netgate WAN port. I've put the OPT & LAN ports on the same VLAN. Server is on firewall's OPT port...

      Thank you for reading!

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @statikregimen
        last edited by SteveITS

        @statikregimen said in Can't get any ports to forward:

        ISP Modem

        Most likely the ISP modem isn't forwarding the traffic to the pfSense router. look for a setting in the ISP modem named DMZ or passthrough to have it forward all inbound connections.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        S 1 Reply Last reply Reply Quote 1
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by Derelict

          @statikregimen said in Can't get any ports to forward:

          I can confirm there is no ISP blocking at play. I ran a Packet Capture (under the Diagnostics menu on Pfsense) while trying to start an SSH session from the aforementioned remote host, and was able to see that expected packets are indeed hitting the firewall.

          Then move one hop inside and capture there to the target host and you will probably see that pfSense is, indeed, forwarding the traffic to the inside host as instructed but there is no response.

          After that check the firewall (think windows firewall) on the target host.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          S 1 Reply Last reply Reply Quote 1
          • S
            statikregimen @SteveITS
            last edited by

            This post is deleted!
            1 Reply Last reply Reply Quote 0
            • S
              statikregimen @Derelict
              last edited by

              @Derelict I'm completely new to using packet capturing, but I will try to figure out how to "move one hop inside" as you suggest.

              I have already confirmed that the target host is accepting connections - works fine from my internal network, as well as the internet when I remove the firewall.

              Also, @teamits - I have already confirmed that packets are making it past my ISP modem, and the firewall does receive them.

              Thank you for the replies!

              DerelictD 1 Reply Last reply Reply Quote 0
              • RicoR
                Rico LAYER 8 Rebel Alliance
                last edited by

                https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat.html

                -Rico

                S 1 Reply Last reply Reply Quote 1
                • S
                  statikregimen @Rico
                  last edited by

                  @Rico Thank you. Not sure how I missed this before now, but I will go over it and will report back.

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate @statikregimen
                    last edited by

                    @statikregimen said in Can't get any ports to forward:

                    I'm completely new to using packet capturing, but I will try to figure out how to "move one hop inside" as you suggest.

                    It means capture on the LAN side looking for the forwarded packets going to the SSH server.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    S 1 Reply Last reply Reply Quote 0
                    • S
                      statikregimen @Derelict
                      last edited by statikregimen

                      @Derelict Thank you. When I replied, I didn't have access to the device, but looking at it now, if I'm understanding everything correctly, I changed the Interface setting of the Pfsense Packet Capture from WAN to OPT, which is the the port the server is plugged into (as labeled on the device and afaik I have not changed the label anywhere in software). This yielded no traffic. However, when I check the LAN interface, I can see the expected traffic. So I guess that means it's making it past the firewall successfully but may or may not have a route to the right place.

                      As I noted in my OP, I did move the OPT interface to be on the same VLAN as the LAN interface (so I can access the server by direct local IP from my internal network - works fine). I am in the process of double checking those settings. Also still going over the Troubleshooting guide linked above.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.