Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Newbie port forwarding problem

    Scheduled Pinned Locked Moved NAT
    7 Posts 3 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      NGUSER6947
      last edited by NGUSER6947

      First time trying to do this... forward a port to my internal Emby server.

      I read the manual, and think I followed the instructions properly. On remote systems (testing via my phone's browser, not on my local wifi) the connection times out.

      As I test it, I can see the connection attempt being blocked on my pfSense firewall log (default deny rule).

      Here's my entry in the port forward table:
      a4c1af88-fbdd-43fd-87e1-b0fb6015631d-image.png

      When on my internal network, I get to the server fine (using it's internal IP).

      In the port forward setup, the Destination Address and Redirect Target IP address are the same (set to the external Emby server's address). Is this correct?

      What am I missing? Thanks.

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @NGUSER6947
        last edited by

        @nguser6947 if your being blocked by the default deny rule, then you didn't create your wan firewall rule. This would of been done for you automatic unless you told it not too.

        Why are you hiding your dest address, this should just be wan address. And why are you hiding your rfc1918 address your nat IP? 192.168.x.x, 10.x.x.x, 172.16-31.x.x nobody can get to those other than if on their own network.. They are not accessible via the public internet.. So hiding them does nothing.. It akin to hiding that your carpet is red in your living room - because someone might be able to pick out your house from knowing that.

        Post up your wan rules, and your full port forward

        https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat.html#port-forward-troubleshooting

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        N 1 Reply Last reply Reply Quote 0
        • N
          NGUSER6947 @johnpoz
          last edited by

          @johnpoz Here's my wan rule:
          453b7322-95a6-4f07-93fe-4839ef08cc03-image.png

          and the full port forward screen:
          3964a51c-c492-4fce-8cd7-9a36e9c1b3d5-image.png
          d4c40853-b135-4dcd-8859-24bb36fdbb38-image.png

          I've masked what Emby reports is my server's external IP. The brown boxes contain that external IP (both are the same values).

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @NGUSER6947
            last edited by johnpoz

            @nguser6947 said in Newbie port forwarding problem:

            The brown boxes contain that external IP (both are the same values).

            well that would never work!

            That target IP should be your servers local IP.. 192.168.1.100 for example.. How would it work with some public IP?

            example - here are forwards and wan rules for my plex, which is 192.168.9.10 on my local network..

            myplex.jpg

            So you want to hit your server from the internet on port xyz... But your server is not on a public IP its on a rfc1918 address, 192.168.x.x as example.

            So you hit your WAN Address (your public ip) on pfsense, its says oh you want to talk to port xyz.. I will send you to 192.168.1.100 on port xyz, or could be even a different port like in my setup..

            How could it forward to some public IP? Which I assume is your wan IP.. So it would just forward to itself?

            In my example traffic that hits my pfsense wan address (my public IP) on port 23040 gets sent to my plex server that is 192.168.9.10 on my network to port 32400 (the plex port)..

            I use pfblocker alias (that contains US IPs, etc) as restriction... So if the source of the traffic hitting my wan IP on that port is from one of those IPs its allowed, if not say its a China IP or something than it would not be forwarded.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            N 1 Reply Last reply Reply Quote 0
            • N
              NGUSER6947 @johnpoz
              last edited by

              @johnpoz Ok. Yes, I have updated my configuration:
              b2f5b05b-ea4e-4daf-b49f-083181a60748-image.png

              I've verified that the destination IP and port are correct and the device is online. Firewall log still indicates it is failing due to the default rule.

              N GertjanG 2 Replies Last reply Reply Quote 0
              • N
                NGUSER6947 @NGUSER6947
                last edited by

                @nguser6947 Solved! I realized that I was mistakenly entering my local server's IP address in the Destination field which smacks head wouldn't work.

                Cleared that, and now I have remote access.

                Thanks for your help!

                1 Reply Last reply Reply Quote 0
                • GertjanG
                  Gertjan @NGUSER6947
                  last edited by Gertjan

                  @nguser6947 said in Newbie port forwarding problem:

                  it is failing due to the default rule

                  You say this because you've looked at the firewall logs and you saw the incoming (WAN) traffic - with the correct (8096) port and correct "protocol TCP" being flagged as 'blocked' ?

                  I give you an example :

                  I have a Synology Diskstation in my LAN, it has IPv4 192.168.1.33 (RFC1918 of course).
                  I've created an alias for the device name "diskstation2", it resolves to 192.168.1.33.
                  I want to access my Diskstation using https://diskatation2.my-domain.tld:8080

                  I created a NAT rule :

                  3c428a1a-b625-4f10-977d-9a971db2e971-image.png

                  The 'destination' is the firewall macro WAN Address, as my WAN is is always part of WAN address. The day my WAN IP changes, my rule still works.

                  I want to reach my diskskation on port 8080, so "Destination port range" is set to 8080.

                  The traffic that comes in and matches WAN Address & port 8080 should go to :

                  Redirect target IP : I entered the Alias "diskstation2", I could also enter "192.168.1.30".
                  And the destination port : my diskstation web server listens on "443", it's using TLS.

                  I Save.

                  I have a NAT rule :

                  b9a38f8a-b0c8-4b69-a812-ea43c0b161da-image.png

                  I checked the auto created WAN firewall rule :

                  a7ab50e0-b8d0-4256-925b-404c45452f7f-image.png

                  I tested with my phone ( with Wifi shut down !! ) , and entered :

                  https://diskatation2.my-domain.tld:8080
                  

                  I saw the main web page of the web server of my diskstation2.

                  I also saw :

                  b995333c-91b4-438e-8378-a00fc2c2ce60-image.png

                  which means that the WAN rule was used / matches incoming traffic. That was me testing the access with my phone..

                  If needed, abuse the pfSense documentation, like Port Forwards. Port forwarding or port NATting or, more correct, PATting, hasn't changed since 1995. Every Home/business router/firewall needs the same inputs. pfSEnse seems to be diffrent but check for yourself : you have to enter 4 things, and your good. The rest of the option are 'special cases'. The day you need them, you'll know they are there.
                  Also : I copied all the images without the need of masking something. The correct use of aliases and firewall macros make rules maintenance easy : It becomes a "set it and forget it" which means I had to look up the pfSense NAT doc, as I tend to forget things. I do not use NAT rules any more, only a VPN access which is just a firewall rule, no NAT). Exposing internal devices in a company network is a big no no (imho). This said : this is also valid for you : now your 192.168.1.250 becomes part of your network security. Keep that in mind.

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.