port forward doesnt work

asiawatcher

i want to put a simple port forward to access the web interface of my nas from my public ip

here is what i did which fails. any clues ? I think that's very simple and should have worked as I done port forward many times before with other routers

Thanks

SteveITS

@asiawatcher did you find https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat-port-forwards.html ?

Does the firewall on the NAS allow connections from outside its subnet?

Btw that second rule on your WAN allows anyone to access pfSense via http or ssh…note the 19 open connections there.

asiawatcher

@SteveITS I'll go to that link and read it yes nas has firewall disabled i have it all open for testing

so what do you think is wrong ?

asiawatcher

@SteveITS read all that i also disabled upnp on my isp router, nothing

SteveITS

@asiawatcher if there’s an ISP router providing NAT it would need to forward the port to pfSense. (Presumably so since something is being forwarded allowing connections on WAN).

If you are testing from behind pfSense you need NAT reflection enabled for that rule.
https://docs.netgate.com/pfsense/en/latest/nat/reflection.html

asiawatcher

@SteveITS ISP router has pfsense on dmz so everything is open

I'm trying from outside via anydesk

johnpoz

@asiawatcher step one is actually validate traffic gets to pfsense wan, pfsense can not forward what it never sees.

So go to like can you see me . org - test to this port 5000 while you sniff (packet capture) on the wan - do you actually see the traffic get there?

Maybe your behind a cgnat? If you do not see the traffic hit your pfsense wan, then it can never forward it. If you see it, then sniff on your lan when you do the same test - do you see it send it on to this 192.168.100.200 box?

Possible this 100.200 box is running its own firewall, or not even listening on that port, or maybe not using pfsense as gateway. But until you actually validate pfsense sees the traffic on the wan.. Maybe your rules are wrong, mabye the IP your forwarding to is wrong, etc. etc..

But first step is to make sure pfsense actually sees the traffic your wanting to forward, otherwise your just going to be spinning your wheels and it would never work..

edit: here you can see my port forward I created, but my box isn't listening on that port - but pfsense would still send it on. Via packet capture on my lan interface when doing the can you see me test.

So pfsense did what I told it too - but the box didn't answer, so the problem is not with the port forward. You would also notice the counter went up on my firewall rule showing that it allowed traffic.

But first step in troubleshooting port forwards should be to actually validate traffic gets to pfsense to port forward.