Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port Forwards Again

    Scheduled Pinned Locked Moved
    NAT
    2
    6
    697
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      noahbb89
      last edited by

      Hello,

      My port forwards are not working, this is a new install. Everything but the port forwards are working.

      Version 2.5.2
      I have reinstalled 2x
      Port forwards are set on the NAT page
      Rules are set on the Firewall page (I have done both manual and auto rule creation)
      I have gone through the troubleshooting guide, which was not essentially everything I had already tried
      Ports test as available internally
      NMAP shows all ports closed from the outside
      Firewall log shows "Default deny rule IPv4 (1000000103)" for all incoming

      This is not my first time setting port forwards, but is the first time on pfSense, I had my buddy from work (that has used it for years and he can't find an error either. Is there something I have missed?

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @noahbb89
        last edited by johnpoz

        @noahbb89 said in Port Forwards Again:

        Firewall log shows "Default deny rule IPv4 (1000000103)" for all incoming

        Then you rules are not correct order, or not matching the traffic your seeing - lets see your rules on your wan, lets see your port forwards.

        Lets see you sniff on your wan while you send traffic.

        Nobody can help without actual info.. Like your firewall logs showing what is being blocked, when you go to can you see me .org and send traffic on port 4444 for example you see that in the log?

        Love to help - nothing to work with. If your stuff is being blocked by the default log, then whatever you created to allow it are not matching.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • N
          noahbb89
          last edited by

          signal-2022-01-10-195922_001.png signal-2022-01-10-185500_001.png signal-2022-01-10-185044_001.png image.png

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @noahbb89
            last edited by johnpoz

            @noahbb89 well looking at that for like 2 second can tell you why your wan rules are not letting 3389 in, where did you come up that the source port would be 525?? There is no way that is correct.

            All of your rules have source ports on them - not going to work.. 3389 to 3389 source port??

            If you want to let something in from the internet - the source port would be ANY..

            When something makes a connection to a service, the "source" port that traffic would come is almost always some random port above 1024..

            So no how you have it set is not going to work.

            Where did you read that source port would be those? It default to any, and actually even hides the source as an option unless you click the advanced but.

            Delete all those rules on your wan, and all your port forwards. And create a simple port forward to what you want to forward to with source port as ANY..

            And then troubleshoot it per the doc if not working
            https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat.html

            BTW - I would highly suggest against opening RDP to the public internet..

            see that block to 3389 in your firewall logs, see the source port.. That is not what you have on any of your rules or forwards. And that source port is going to change, every time they make a connection, and it would be something different from every client..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            N 1 Reply Last reply Reply Quote 0
            • N
              noahbb89 @johnpoz
              last edited by

              So the 525 to 3389 is a redirect. Literally ever other setup I have used allows Port redirects, so 1 port can be externally available on to multiple internal machines. If the source port is any for the first rule I define, would not everything will go to that client?

              If I am understanding you correctly, pfSense is not the solution for my setup. Like literally my $30 walmart router at home has more features (namely port redirect). Not trying to sound like a jerk, just if this solution doesn't allow what I need I may as well cut my losses now.

              However my buddy is able to accomplish what I am doing in another environment, I have screenshots of his configs, not comfortable sharing his info, but his rule is the exact same as mine, hence my confusion, as to why mine does not work....

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @noahbb89
                last edited by johnpoz

                @noahbb89 said in Port Forwards Again:

                So the 525 to 3389 is a redirect.

                No that is not a redirect... You have the source port locked to being 525..

                A redirect port would look like this, I direct 23040 externally to 32400 on the server internally.

                portredirect.jpg

                Your buddy sure and the hell does not have the same setup - if he did his wouldn't work either.. Its that simple.. This is borked!

                Wrong.jpg

                Also you have a port forward on your WAN that says destination is the LAN address - how would that ever happen?? That forward says hey traffic coming into your Wan interface with a destination of whatever you LAN IP is - how would traffic hit your wan that has a destination of your LAN IP??? Lets say it some how magically did... Your then saying hey if the destination port is 3389 send it to 192.168.1.120 3389.. But ONLY if the source port of the traffic is 525.. How and the hell would any of that ever happen??

                If you want to redirect traffic hitting 525 on your wan to 192.168.1.120 3389.. The port forward and firewall rules would look like this.

                correctredirect.jpg

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.