PortForward Not woking no matter what i do
-
Hello there i have a problem with port forwarding . im trying to open port 2302 for a specific application but no mater what i do it wont work. I have try to uninstall the antivirus cause i thought that might of been the issue and nothing. This is how i got my port configured , when i scan from outside the network it shows that is close. i also have a port open for my plex server and that's working with no problem from outside the network.
here are my settings maybe im doing something wrong. maybe someone out there knows how to fix it , thanks in advance .
-
@dark_prophet Have you reviewed this page? https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat-port-forwards.html
-
@chpalmer not yet ill look at it and give it a try
Thanks for the quick reply. -
i have try everything on them troubleshooting docs but nothing seems to work
i even try this really good post that by another guy having a similar problem
https://www.reddit.com/r/PFSENSE/comments/gf7uu6/pfsense_nat_closedsyn_sent/i was reading the issued could of been because Asymmetric routing but i went ahead and fallow the link above no to avail.
thing is when i did it for my plex server it works just fine but when i open any other port it work work
one thing i did is that i made a different ruled for firewall on my plex server to port 32500
and i get the port is closed but 32400 . I know plex is listening on that port and not on 32500
not sure if that has anything to do with it . -
@dark_prophet Does the server listening on 2302 have a firewall and if so does it allow connections from any IP?
-
Yes it does ,is really a game that i can host my own little server from my computer, and it supposed to be listening on 2302. I even uninstall my antivirus and nothing.
-
@dark_prophet said in PortForward Not woking no matter what i do:
Yes it does , I even uninstall my antivirus and nothing.
If you are running Windows you need to look and see if the firewall on that computer is set to allow connections from outside its own subnet.. By default it will not.
The document I linked to does give you enough information to figure out where your setup is failing.. but you have to take it step by step.
Have you done a packet capture to see if the connection attemps are even making it to your router? Some ISP block such things.
-
I will check on that , earlier i trying to troubleshoot and the CLOSE:SYN_SENT: what does that mean .
-
Sorry my reply got cut off . Earlier when i was trying to ping the port from outside my network on my PFsense Diagnostic section - then States i could clearly see it was trying to make a connection, i could see the ip address and port from where it was been ping from but the state was CLOSE:SYN_SENT . What does that mean
-
I think that right there shows thats its making it ro the router/firewall
-
@dark_prophet said in PortForward Not woking no matter what i do:
but the state was CLOSE:SYN_SENT
I go over it detail here
https://forum.netgate.com/post/914914Most likely where your sending didn't answer, be it the port not open, its firewall denied the traffic, or the device is not using pfsense as its gateway.
Depending where you sent it and the OS of the device, it normally might send a RST if the port was not open.. So either a firewall or pfsense not gateway.
If you followed the troubleshooting guide you would of known exactly right away if pfsense was sending the traffic on - since this is part of the troubleshooting. Validating that pfsense sees the traffic to forward, and if it sends it on via sniffing..
-
Ok thanks for the help i will check on it later. The device been used is my own computer.
-
@dark_prophet said in PortForward Not woking no matter what i do:
The device been used is my own computer.
Which I take it working for internet - but is it actually routing through pfsense? If you see pfsense send on the traffic via a sniff, then you know its something with the device, no service listening on that port, firewall, or not using pfsense as its gateway.
But there is nothing pfsense can do if it sends on the traffic it sees via the forward and never gets an answer.. Not sure what scanning service your using.. Is that actually from the internet? I normally recommend just can you see me .org for sending traffic from the internet to test a port forward.
If your scanning locally to your public IP hoping to get reflected back in - that is not a good test of port forwarding, and you need to have setup nat reflection. To test a port forward, you need to send traffic from the outside.. which can you see me makes real easy to do on any tcp port.
-
that's what im doing trying to test it from outside my network with my cellphone from
ipfingerprints.com
-
this is what i get on capture packet when i try to ping from outside my network from 2 sites
https://www.ipfingerprints.com
https://canyouseeme.org/
00:15:03.088123 IP 5.79.75.134.58554 > 72.47.134..: UDP, length 21
00:15:04.088941 IP 5.79.75.134.58555 > 72.47.134..: UDP, length 21
00:15:05.125488 IP 5.79.75.134.41022 > 72.47.134..: tcp 0
00:15:06.126803 IP 5.79.75.134.43608 > 72.47.134..: tcp 0
00:15:07.673939 IP 52.202.215.126.53411 > 72.47.134..: tcp 0
00:15:08.670759 IP 52.202.215.126.53411 > 72.47.134..: tcp 0
00:15:10.674765 IP 52.202.215.126.53411 > 72.47.134..***: tcp 0 -
@dark_prophet ok that is good, that shows it hit your pfsense public IP, now sniff on your lan side interface when you do the same test.. Do you see pfsense send on the traffic to your devices IP? If so then your device didn't answer for whatever reason - but pfsense did what you told it too.
edit: Example I just forwarded 2302 to a box on my network.. He is not listening on that port, but I can still forward traffic to him.. See while sniffing on the lan side interface you can see pfsense sent the traffic on.. In my case the box at 3.32 sent back a RST saying hey not talking to you on port 2302 go away..
But not all OSes will send back a rst if nothing listening, maybe device firewall just dropped the traffic, or maybe the device sent the reply to some other IP other than pfsense.
But you can see from the sniff that pfsense did what I told it too and forwarded traffic hitting its wan on port 2302 to the device at 192.168.3.32
-
Not sure if i have wireshark set up right but im not seeing any traffic when i scanned my network on that specific port
-
@dark_prophet use the packet capture on pfsense.. Under diagnostic menu.
-
I did same test on LAN and has no output what so ever. can i see your rules on your port 2302 rule
-
@dark_prophet I posted them...
you sure that IP is correct.. if pfsense can not talk to that IP, then it can not send on the traffic - since it doesn't know the mac address of it.
I posted the portforward and the rule that it generates on my wan..
The rules on your wan are evaluated top down, if you have some rule that blocks before your allow then no it would never work, if you have some rule on floating that would block, again it wouldn't work.
