Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port forwarding problem (I did try following the troubleshooting guide)

    Scheduled Pinned Locked Moved NAT
    3 Posts 2 Posters 983 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      Eddles
      last edited by Eddles

      Hi all,

      I have to use my ISP's router, and I have absolutely no control over it - I can't even see a status page. I have to email customer service if I want to make any changes to the router settings - even the Wi-Fi password! Anyway, they have set up a DMZ for 192.168.0.10. So, I've set up the pfsense WAN port to be 192.168.0.10, and the LAN port to be 192.168.1.1. The ISP is adamant that the DMZ is on and working. However, I seem to be having trouble with port forwarding. Specifically, I have Transmission on my server (IP 192.168.1.17), and it needs port 51413 forwarded. I have followed the troubleshooting guide and don't seem to be successful. Here are the port forward settings & firewall rules:

      373f646a-8573-46f6-90e7-6f87ee405a43-image.png

      54597bf4-44ad-49e1-9c78-c5535dbd0a7c-image.png

      First, I checked the server port if it is enabled properly:

      kit@Voyager ~ % sudo nmap -p 51413 192.168.1.17
      Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-19 21:41 BST
      Nmap scan report for 192.168.1.17
      Host is up (0.0039s latency).
      
      PORT      STATE SERVICE
      51413/tcp open  unknown
      MAC Address: xxxxx (Dell)
      
      Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds
      kit@Voyager ~ %
      

      So far, so good. I am not 100% certain the DMZ is working properly, so someone suggested looking at the firewall logs to check this, while there are a lot of LAN entries - mainly IPv6 - but very few WAN entries, so I am not sure if the DMZ is the problem.

      I used a port checker to check port 51413, and it says it's closed, but I get nothing in the logs. I also ran ShieldsUP! while there were some log entries, it is not clear that it is related to ShieldsUP!.

      Here are a few lines selected from the firewall log, all relating to the WAN:

      Apr 19 21:29:47 	WAN 	Default deny rule IPv4 (1000000103)  192.168.0.1		224.0.0.1		IGMP
      Apr 19 21:29:17 	WAN 	Default deny rule IPv4 (1000000103) 	192.168.0.1:44976		239.255.255.250:1900		UDP 
      Apr 19 21:28:25 	WAN 	Block snort2c hosts (1000000118) 	17.253.35.210:80		192.168.0.10:35391		TCP:PA
      

      Does this mean the DMZ is working? Moving forward, looking at firewall states, there are a few lines relating to port 51413, for example:

      LAN 	udp 	192.168.1.17:51413 -> 54.194.137.170:6881 	SINGLE:MULTIPLE 	1 / 1 	122 B / 95 B 	
      WAN 	udp 	192.168.0.10:23220 (192.168.1.17:51413) -> 54.194.137.170:6881 	MULTIPLE:SINGLE 	1 / 1 	122 B / 95 B 	
      LAN 	udp 	192.168.1.17:51413 -> 31.133.127.112:6881 	NO_TRAFFIC:SINGLE 	1 / 0 	122 B / 0 B 	
      WAN 	udp 	192.168.0.10:53761 (192.168.1.17:51413) -> 31.133.127.112:6881 	SINGLE:NO_TRAFFIC 	1 / 0 	122 B / 0 B
      

      Again, I'm guessing that it's all related to the server trying to talk out on port 51413 but not being successful, but I'm not 100% sure.

      I tried doing a nmap scan on pfsense itself, but I have no idea if doing this is a valid method of diagnosis:

      [2.6.0-RELEASE][admin@pfSense.xx.intranet]/root: nmap 192.168.0.10
      Starting Nmap 7.91 ( https://nmap.org ) at 2022-04-19 21:11 UTC
      Stats: 0:00:13 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
      SYN Stealth Scan Timing: About 72.60% done; ETC: 21:11 (0:00:05 remaining)
      Nmap scan report for 192.168.0.10
      Host is up (0.000043s latency).
      Not shown: 996 filtered ports
      PORT    STATE SERVICE
      22/tcp  open  ssh
      53/tcp  open  domain
      80/tcp  open  http
      443/tcp open  https
      
      Nmap done: 1 IP address (1 host up) scanned in 15.05 seconds
      [2.6.0-RELEASE][admin@pfSense.xx.intranet]/root: nmap -p 51413 192.168.0.10
      Starting Nmap 7.91 ( https://nmap.org ) at 2022-04-19 21:12 UTC
      Nmap scan report for 192.168.0.10
      Host is up.
      
      PORT      STATE    SERVICE
      51413/tcp filtered unknown
      
      Nmap done: 1 IP address (1 host up) scanned in 2.20 seconds
      [2.6.0-RELEASE][admin@pfSense.xx.intranet]
      

      Note:

      • I have unticked "Block private networks" in the WAN interface setup.
      • I have unticked "Block bogon networks" in the WAN interface setup.
      • Snort is installed & running. While, I've followed some tutorials on how to set up Snort, I'm inexperienced, so Snort might be blocking 51413 for all I know. That said, I tried turning off Snort and trying the port checker, but no difference.

      I am certain I have made plenty of simple mistakes, that I can't figure out by reading the troubleshooting guide, so I would really appreciate your advice here! Thank you so much!

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @Eddles
        last edited by

        @eddles said in Port forwarding problem (I did try following the troubleshooting guide):

        I am not 100% certain the DMZ is working properly

        Run Diagnostic > Packet Capture on WAN and initiate an access from outside to check out, if the DMZ is working.
        From what I see til now, I don't think so.

        Here are a few lines selected from the firewall log, all relating to the WAN:
        Apr 19 21:28:25 WAN Block snort2c hosts (1000000118) 17.253.35.210:80 192.168.0.10:35391 TCP:PA
        Does this mean the DMZ is working?

        This let me assume, outbound from pfSense is basically working. But this is a response packet from a webserver, which is blocked here. That needs further investigation.

        However, I'm wondering why you have snort enabled while troubleshooting. You should disable it as well as pfBlockerNG for testing.

        E 1 Reply Last reply Reply Quote 1
        • E
          Eddles @viragomann
          last edited by

          @viragomann said in Port forwarding problem (I did try following the troubleshooting guide):

          Run Diagnostic > Packet Capture on WAN and initiate an access from outside to check out, if the DMZ is working.
          From what I see til now, I don't think so.

          Problem solved, my ISP enabled DMZ on the wrong router (that I have an account for). Cleared up the router details, DMZ now working and port forwarding works perfect. Thank you for your time!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.