Port Forwarding Help Needed
-
Hi,
I'm new to pfSense port-forwarding and have been banging my head the last few days concerning the following problem. I HAVE looked at all documentation from Netgate before coming here, please don't think this was my first stop.
I'm simply trying to port forward 3 ports, (1) UDP, (2) TCP/UDP. I took snippets of relevant configuration summaries and chopped down little cutsheet of my network. Pretty please take a look and give me more things to try. Images following.
Thank each and every one of you for any input in advance.
login-to-view login-to-view login-to-view login-to-view login-to-view login-to-view
-
@mr-crain and clearly this is not correct
the source port of traffic isn't going to be the same as the port they are trying to connected too.. There are only a very few select applications that do this - so this not correct pretty much guarantee it.. The source port should be any
And that any rule on your WAN is very bad idea..
https://docs.netgate.com/pfsense/en/latest/nat/port-forwards.html
They hide the advanced feature of a port forward for a reason..
"Unless the service absolutely requires a specific source port, the Source Port Range must be left as any since nearly all clients will use randomized source ports"
-
Yeah the blanket any was just a last ditch kinda thing, it's off now.
Not to sound like an ass, but in this instance (a Game Server) I belive their port will be hard defined? I know always running Minecraft and Ark Servers on run of the mill all in one routers, I would always need an implicit external and internal port?In all honesty, I am most unclear about if the port forwarding will work to a Lan that isn't directly attached/not THE pfSense Defined LAN... I'm thinking tomorrow I'm going to hang the server off THAT LAN .. and see if there are differences.
-
@mr-crain said in Port Forwarding Help Needed:
belive their port will be hard defined
No its not, Its just not would be willing to bet like my 401k on that ;) And even if it was guess what any would still allow it..
The only reason you would put in a source port, even if it wasn't the same as the destination, is you wanted to limited what was forward.. Where you would forward traffic that had source port X, not if it had source port Y. Which in the case of trying to get to some game server would be for what possible reason?
As to where your forwarding being downstream.. That wouldn't be a problem unless you had some other downstream router doing nat.. is your L3 switch you have there doing nat? If so why would pfsense have any need for routes..
Your forwards would be to the 192.168.70.2, and then you would need a forward on your downstream natting router.
As to the blanket any any rule on your wan.. Why would you think that would work. You have a rule that allows what your forwarding, it is auto created by the port forward.. Would you think the destination of the traffic would be something other than your wan address, why would the forward work then - you have it forward only when it hits your wan address in your forward, etc.
All that rule did was expose your web gui, and ssh for example and most likely unbound that defaults to listen on all IPs, etc.
-
@mr-crain Just to add, you also put an ANY rule on your LAN right above the default ANY rules. Kinda redundant.
-
@johnpoz
Good point(s). Dang. Well I tried the any any for source and still not working for me :( time to reboot all devices and start over? Let me know if you can think / see anything else please. It has to be something small :( -
johnpoz LAYER 8 Global Moderatorlast edited by johnpoz Mar 19, 2023, 12:48 PM Mar 19, 2023, 12:27 PM
@mr-crain No reason to reboot anything.. Just troubleshoot the problem..
First things - is traffic even hitting your port.. You also have nat reflection setup? How are you testing this?
Start with the basics - does the port forward work externally? Got to can you see me . org and send traffic to either 7780 or 27020, those are tcp forward.
Sniff on your wan of pfsense - do you see it hit pfsense wan? Pfsense can not forward something it never sees.
Ok if it hits your wan, sniff on your lan side interface while sending another test - do you see it send it.. If so then something else downstream, your sending to wrong IP or port, the device is not actually even listening on those ports? Host firewall on where your sending it.
If you go through the details in the link, you should be able to figure out your problem in less than 2 minutes..
If that all works - then you can move on to if you have problems with nat reflection.
edit: example.
I created a gateway and route to a downstream network 10.20.30/24
Now created a port forward to an IP on that network.
Notice as well that my firewall rules shows that traffic has hit this rule the 0/420 B after I sent some traffic.
So sniffing on my wan and lan you see pfsense sent it on. And if I look at where that traffic was actually sent in my sniff, while sent to the 10.20.30.42 address, the mac is to my downstream router I setup.
If this simple test works, and still not working - at least you know its not pfsense, pfsense did exactly what I told it too do.. See traffic on your wan address to port 27020, send it to 10.20.30.42..