Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port Forwarding Help Needed

    Firewalling
    3
    7
    1.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Mr-Crain
      last edited by

      Hi,

      I'm new to pfSense port-forwarding and have been banging my head the last few days concerning the following problem. I HAVE looked at all documentation from Netgate before coming here, please don't think this was my first stop.

      I'm simply trying to port forward 3 ports, (1) UDP, (2) TCP/UDP. I took snippets of relevant configuration summaries and chopped down little cutsheet of my network. Pretty please take a look and give me more things to try. Images following.

      Thank each and every one of you for any input in advance.

      Port Forward Summary Statements.png Network Summary .png Firewall WAN Rules.png Firewall LAN Rules.png Detailed Port Foward Statement.png Advanced Firewall Settings.png

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @Mr-Crain
        last edited by johnpoz

        @mr-crain and clearly this is not correct

        wrong.jpg

        the source port of traffic isn't going to be the same as the port they are trying to connected too.. There are only a very few select applications that do this - so this not correct pretty much guarantee it.. The source port should be any

        And that any rule on your WAN is very bad idea..

        https://docs.netgate.com/pfsense/en/latest/nat/port-forwards.html

        They hide the advanced feature of a port forward for a reason..

        "Unless the service absolutely requires a specific source port, the Source Port Range must be left as any since nearly all clients will use randomized source ports"

        soureport.jpg

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        M 1 Reply Last reply Reply Quote 0
        • M
          Mr-Crain @johnpoz
          last edited by

          @johnpoz

          Yeah the blanket any was just a last ditch kinda thing, it's off now.
          Not to sound like an ass, but in this instance (a Game Server) I belive their port will be hard defined? I know always running Minecraft and Ark Servers on run of the mill all in one routers, I would always need an implicit external and internal port?

          In all honesty, I am most unclear about if the port forwarding will work to a Lan that isn't directly attached/not THE pfSense Defined LAN... I'm thinking tomorrow I'm going to hang the server off THAT LAN .. and see if there are differences.

          johnpozJ J 2 Replies Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @Mr-Crain
            last edited by johnpoz

            @mr-crain said in Port Forwarding Help Needed:

            belive their port will be hard defined

            No its not, Its just not would be willing to bet like my 401k on that ;) And even if it was guess what any would still allow it..

            The only reason you would put in a source port, even if it wasn't the same as the destination, is you wanted to limited what was forward.. Where you would forward traffic that had source port X, not if it had source port Y. Which in the case of trying to get to some game server would be for what possible reason?

            As to where your forwarding being downstream.. That wouldn't be a problem unless you had some other downstream router doing nat.. is your L3 switch you have there doing nat? If so why would pfsense have any need for routes..

            Your forwards would be to the 192.168.70.2, and then you would need a forward on your downstream natting router.

            As to the blanket any any rule on your wan.. Why would you think that would work. You have a rule that allows what your forwarding, it is auto created by the port forward.. Would you think the destination of the traffic would be something other than your wan address, why would the forward work then - you have it forward only when it hits your wan address in your forward, etc.

            All that rule did was expose your web gui, and ssh for example and most likely unbound that defaults to listen on all IPs, etc.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            M 1 Reply Last reply Reply Quote 0
            • J
              Jarhead @Mr-Crain
              last edited by

              @mr-crain Just to add, you also put an ANY rule on your LAN right above the default ANY rules. Kinda redundant.

              1 Reply Last reply Reply Quote 0
              • M
                Mr-Crain @johnpoz
                last edited by

                @johnpoz
                Good point(s). Dang. Well I tried the any any for source and still not working for me :( time to reboot all devices and start over? Let me know if you can think / see anything else please. It has to be something small :(

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @Mr-Crain
                  last edited by johnpoz

                  @mr-crain No reason to reboot anything.. Just troubleshoot the problem..

                  First things - is traffic even hitting your port.. You also have nat reflection setup? How are you testing this?

                  Start with the basics - does the port forward work externally? Got to can you see me . org and send traffic to either 7780 or 27020, those are tcp forward.

                  Sniff on your wan of pfsense - do you see it hit pfsense wan? Pfsense can not forward something it never sees.

                  Ok if it hits your wan, sniff on your lan side interface while sending another test - do you see it send it.. If so then something else downstream, your sending to wrong IP or port, the device is not actually even listening on those ports? Host firewall on where your sending it.

                  If you go through the details in the link, you should be able to figure out your problem in less than 2 minutes..

                  If that all works - then you can move on to if you have problems with nat reflection.

                  edit: example.

                  I created a gateway and route to a downstream network 10.20.30/24

                  route.jpg

                  Now created a port forward to an IP on that network.

                  portforward.jpg

                  Notice as well that my firewall rules shows that traffic has hit this rule the 0/420 B after I sent some traffic.

                  So sniffing on my wan and lan you see pfsense sent it on. And if I look at where that traffic was actually sent in my sniff, while sent to the 10.20.30.42 address, the mac is to my downstream router I setup.

                  traffic.jpg

                  If this simple test works, and still not working - at least you know its not pfsense, pfsense did exactly what I told it too do.. See traffic on your wan address to port 27020, send it to 10.20.30.42..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.