Hell of a time with Pfsense port forwarding.
-
Hi there all, I’m relatively new to pfsense and am learning slowly, but I’ve hit a snag which I have absolutely no idea how to remedy.
So I run a bunch of DCS servers (it’s a flight sim) and I use an add-on called dcs-gRPC which requires ports in the range 50051 (TCP) - 50056. It only REQUIRES 50051 ( but I run 5 of the servers so I need all 5 open).
However I go to NAT set up a port forward as I would normally, my WAN IP is a public DHCP ip provided by Comcast. I have my lan/gateway setup on a 10.10.1.X address.
So in the port forward section I have selected wan address, to ports 50051 - 50056 TCP, with the starting port at 50051 and the local IP address of 10.10.1.120 (the server that runs the dcs-gRPC client)
I think this is the way you should setup port forwards on pfsense from what I’ve read, but no matter which NAT or reflection settings I choose (Ive tried all 3) any port checker I use to test if the port is open on my public IP all say it’s closed.
Like I said I’m not the most experience networking guru and hope someone can offer some advice as I’d really like to get this sorted.
Thanks in advance and let me know if you need more information , screenies etc (I assume u will)
Good to be here been a long time watcher of the YouTube channel first time poster.
This is what I'm using to check ports are open: https://portchecker.co
(
-
Move the one on the second image to the top on WAN rules and check again.
-
@cool_corona said in Hell of a time with Pfsense port forwarding.:
Move the one on the second image to the top on WAN rules and check again.
Thanks for the reply , I appreciate it, but the WAN rule already is at the top (bottom picture).....
-
I don't see any hits on that rule.. You sure traffic is getting to your wan even?
You using an outside source like can you see me to hit your tcp port, should trigger the rule.. even if nothing listening on that port to where you forwarded too.
If port forward is not working, first thing is to validate traffic actually hits your wan, if it does, send step is to validate it being sent out your lan side interface.
Here I have nothing listening on 50051, but I can send traffic there and validate the port forward is working.
https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat-port-forwards.html
So testing shows fail, but my rule shows traffic was seen. Sniff on wan shows traffic was seen, sniff on lan shows traffic was sent on. So this tells me firewall on device forwarding too block it, or devices isn't listening on that port, or Im sending it to the wrong internal IP.
if do not see rule trigger, or nothing on wan sniff - then traffic is never getting to pfsense. If nothing gets to pfsense - there is nothing to forward.
-
Really appreciate the reply, I'm not sure how to do a lot of what you ask though. It appears as though my rule is seeing that trafic is being transferred although not a lot of traffic....
I changed the ports to some that I know are open from the wan (tested using a cell phone) when diconnected form my wifi.
portchecker tells me that those ports are now open (not the ports initially used though : 50051-50056)
I'm not sure where to do the aforementioned "sniffing" but i attempted to use the "packet capture" feature in pf sense with these settings and got no packets shown:
Thanks in advance and sorry for the newbism.
M
-
@martsmac yes the sniff is just done in the diagnostic menu, packet capture.
Your sniff is not correct, how would pfsense see traffic to some 10 address on its wan? The traffic from the internet would be sent to pfsense wan IP.. 10.x does not route across the internet.
So unless you had something in front of pfsense that was forwarding traffic to pfsense wan IP that was that 10 address that sniff would never see anything.
That sniff would be fine for doing the lan side sniff to see if traffic was being sent onto that 10 address you were forwarding traffic to, if you did it on the lan side interface vs the wan.
-
@johnpoz I managed to show packets when I sniffed the public IP address which for obvious reasons I'm not posting here lol. I might have found my problem though I will post later if it works.
