Port forwarding not working
-
Hi.I have tried all possible port forwarding options, none of them want to work. What am I doing wrong?
-
@p01s0n
Possibly the destination device is blocking that access.To investigate use the packet capture tool.
Take a capture on WAN interface to check if the SSH packets are arriving at all.
If so, take a capture on LAN to see if the device is responding. -
@p01s0n You're trying to access the pfSense via SSH? Two thoughts...is "Enable Secure Shell" checked in System/Advanced/Admin Access? And, why not just SSH to the WAN port 22 and not NAT to its LAN IP? (not that'd I'd recommend allowing SSH to either, from the Internet)
-
@viragomann
this is WAN capture:00:47:43.792764 IP (tos 0x0, ttl 127, id 28641, offset 0, flags [DF], proto TCP (6), length 52)
100.68.108.210.1080 > MyWhiteIPaddress.22: Flags [S], cksum 0xaf19 (correct), seq 896588029, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0and this LAN:
00:50:16.760746 IP (tos 0x0, ttl 128, id 28655, offset 0, flags [DF], proto TCP (6), length 52)
192.168.1.113.60064 > MyWhiteIPaddress.22: Flags [S], cksum 0xd3be (correct), seq 3760599606, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0 -
@steveits said in Port forwarding not working:
"Enable Secure Shell"
enabled.
@steveits said in Port forwarding not working:
And, why not just SSH to the WAN port 22 and not NAT to its LAN IP?
how?i guess i tried it too
-
@p01s0n
What device is 192.168.1.113 in your previous post? Is that your PC and you're trying to connect to WAN:22 from the LAN, and use NAT? If so, then you'd need to enable NAT reflection for that NAT rule.To connect to WAN:22 from the Internet, don't use NAT, just create a rule on WAN to allow from any to WAN:22. Though I would really want to limit that to specific IP addresses as the source, and not allow the entire Internet.
-
@steveits did like u say.created rule on WAN allowing any to WAN 22.no effect.packet capture see some packets only if im trying to connect from lan,if i try from other ISP,from phone like example,no packets at all.
-
A WAN firewall rule doesn't apply at all if you are on LAN. Rules apply to the interface that is receiving the connection.
re: no packets...is there anything outside of your router like an ISP router that may be blocking the connection?
Some ISPs do block ports, for example for security reasons or if they decide a "home" account should not be running a web server, which would be a business account. In that case using NAT might get around it...redirect WAN:50022 to LAN:22.
-
@steveits i asked once my ISP about it,they said that they are not blocking port forwarding.will try another port like u said 50222.
same problem with port forwarding i had on OpenWrt,but one time i could do ping and forwarded some ports.
as far as I know, optics come to my building in one switch from which the Internet comes to me via cable.and that cable connected directly to pfsense. -
@p01s0n Your behind a CGnat (carrier grade nat)
100.68.x.x is part of the cgnat range 100.64.0.0/10
100.64.0.0 - 100.127.255.255
So no your not going to get anything to work from the public net inbound to that IP.. Never, ever ever.. The only way it could work is your ISP forwarded traffic to that 100.x.x.x IP.. From some actual public IP.. CGnat is like what pfsense does for natting public to rfc1918, but for ISPs
https://en.wikipedia.org/wiki/Carrier-grade_NAT
You would have to get that info from your ISP - Its possible they might provide some ports that they allow inbound (they do the port forward)... But you would have to get the details of what specific ports they are sending you, and what public IP on the internet to send the traffic too..
Do you get an IPv6 address? I don't see one, link local isn't going to work.. Can you get IPv6 from them? Or you would have to get with an VPN services that allows inbound port forwarding via some ports. Or you would have to look into something like https://ngrok.com/ For a way to get unsolicited inbound traffic to you.
Or you could get a vps somewhere, create a vpn tunnel to it and send traffic to you via that..
Best option if your goal is inbound traffic is either get a actual public IP from your isp, maybe an extra charge per month, or switch isps that isn't using cgnat.
-
@johnpoz thanks a lot for the detailed answer. i will talk to isp about allocating a static address for me.