Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port forwarding not working

    Scheduled Pinned Locked Moved Firewalling
    11 Posts 4 Posters 902 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      p01s0n
      last edited by p01s0n

      Hi.I have tried all possible port forwarding options, none of them want to work. What am I doing wrong?
      alt text
      alt text
      alt text

      V S 2 Replies Last reply Reply Quote 0
      • V
        viragomann @p01s0n
        last edited by

        @p01s0n
        Possibly the destination device is blocking that access.

        To investigate use the packet capture tool.
        Take a capture on WAN interface to check if the SSH packets are arriving at all.
        If so, take a capture on LAN to see if the device is responding.

        P 1 Reply Last reply Reply Quote 0
        • S
          SteveITS Galactic Empire @p01s0n
          last edited by

          @p01s0n You're trying to access the pfSense via SSH? Two thoughts...is "Enable Secure Shell" checked in System/Advanced/Admin Access? And, why not just SSH to the WAN port 22 and not NAT to its LAN IP? (not that'd I'd recommend allowing SSH to either, from the Internet)

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote ๐Ÿ‘ helpful posts!

          P 1 Reply Last reply Reply Quote 0
          • P
            p01s0n @viragomann
            last edited by p01s0n

            @viragomann
            this is WAN capture:

            00:47:43.792764 IP (tos 0x0, ttl 127, id 28641, offset 0, flags [DF], proto TCP (6), length 52)
            100.68.108.210.1080 > MyWhiteIPaddress.22: Flags [S], cksum 0xaf19 (correct), seq 896588029, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

            and this LAN:

            00:50:16.760746 IP (tos 0x0, ttl 128, id 28655, offset 0, flags [DF], proto TCP (6), length 52)
            192.168.1.113.60064 > MyWhiteIPaddress.22: Flags [S], cksum 0xd3be (correct), seq 3760599606, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

            1 Reply Last reply Reply Quote 0
            • P
              p01s0n @SteveITS
              last edited by

              @steveits

              @steveits said in Port forwarding not working:

              "Enable Secure Shell"

              enabled.

              @steveits said in Port forwarding not working:

              And, why not just SSH to the WAN port 22 and not NAT to its LAN IP?

              how?i guess i tried it too

              S 1 Reply Last reply Reply Quote 0
              • S
                SteveITS Galactic Empire @p01s0n
                last edited by

                @p01s0n
                What device is 192.168.1.113 in your previous post? Is that your PC and you're trying to connect to WAN:22 from the LAN, and use NAT? If so, then you'd need to enable NAT reflection for that NAT rule.

                To connect to WAN:22 from the Internet, don't use NAT, just create a rule on WAN to allow from any to WAN:22. Though I would really want to limit that to specific IP addresses as the source, and not allow the entire Internet.

                Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                Upvote ๐Ÿ‘ helpful posts!

                P 1 Reply Last reply Reply Quote 0
                • P
                  p01s0n @SteveITS
                  last edited by

                  @steveits did like u say.created rule on WAN allowing any to WAN 22.no effect.packet capture see some packets only if im trying to connect from lan,if i try from other ISP,from phone like example,no packets at all.

                  S 1 Reply Last reply Reply Quote 0
                  • S
                    SteveITS Galactic Empire @p01s0n
                    last edited by

                    A WAN firewall rule doesn't apply at all if you are on LAN. Rules apply to the interface that is receiving the connection.

                    re: no packets...is there anything outside of your router like an ISP router that may be blocking the connection?

                    Some ISPs do block ports, for example for security reasons or if they decide a "home" account should not be running a web server, which would be a business account. In that case using NAT might get around it...redirect WAN:50022 to LAN:22.

                    Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                    When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                    Upvote ๐Ÿ‘ helpful posts!

                    P 1 Reply Last reply Reply Quote 0
                    • P
                      p01s0n @SteveITS
                      last edited by

                      @steveits i asked once my ISP about it,they said that they are not blocking port forwarding.will try another port like u said 50222.
                      same problem with port forwarding i had on OpenWrt,but one time i could do ping and forwarded some ports.
                      as far as I know, optics come to my building in one switch from which the Internet comes to me via cable.and that cable connected directly to pfsense.

                      johnpozJ 1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator @p01s0n
                        last edited by johnpoz

                        @p01s0n Your behind a CGnat (carrier grade nat)

                        cgnat.jpg

                        100.68.x.x is part of the cgnat range 100.64.0.0/10

                        100.64.0.0 - 100.127.255.255

                        So no your not going to get anything to work from the public net inbound to that IP.. Never, ever ever.. The only way it could work is your ISP forwarded traffic to that 100.x.x.x IP.. From some actual public IP.. CGnat is like what pfsense does for natting public to rfc1918, but for ISPs

                        https://en.wikipedia.org/wiki/Carrier-grade_NAT

                        You would have to get that info from your ISP - Its possible they might provide some ports that they allow inbound (they do the port forward)... But you would have to get the details of what specific ports they are sending you, and what public IP on the internet to send the traffic too..

                        Do you get an IPv6 address? I don't see one, link local isn't going to work.. Can you get IPv6 from them? Or you would have to get with an VPN services that allows inbound port forwarding via some ports. Or you would have to look into something like https://ngrok.com/ For a way to get unsolicited inbound traffic to you.

                        Or you could get a vps somewhere, create a vpn tunnel to it and send traffic to you via that..

                        Best option if your goal is inbound traffic is either get a actual public IP from your isp, maybe an extra charge per month, or switch isps that isn't using cgnat.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        P 1 Reply Last reply Reply Quote 1
                        • P
                          p01s0n @johnpoz
                          last edited by

                          @johnpoz thanks a lot for the detailed answer. i will talk to isp about allocating a static address for me.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.