• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Is my ISP blocking port forwarding?

Scheduled Pinned Locked Moved NAT
8 Posts 2 Posters 301 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • F
    Fandangos
    last edited by Dec 15, 2024, 12:37 PM

    Coming here after a few days trying to figure out what is going on.

    My setup goes like this:

    Unraid server with 2 NICs: 1 - SMB and private stuff, 2 - Docker containers.
    Docker containers -> managed switch tagged vlan -> pfsense.

    Docker runs on a different network and everything is fine inside my LAN. I can access it from all other vlans.

    Now I'm trying to open port 8096 for Emby on my WAN like this:
    01a1895a-2089-4004-85aa-ff3da411b094-image.png

    9c1b2d00-9a52-44cd-8c28-59aaeb81ecd5-image.png

    The rules on my docker vlan is to block traffic to my other vlans:

    09fff48b-ad35-463c-8b47-00b71fb355f4-image.png

    Even tried to disable the pfblockerng rule and the rule to the pfsense firewall.

    So my guess is.. is my ISP blocking it? Tried different ports but all seems to be closed using online tools as can you see me and trying to access the emby webui from my phone lte network.

    V 1 Reply Last reply Dec 15, 2024, 12:56 PM Reply Quote 0
    • V
      viragomann @Fandangos
      last edited by Dec 15, 2024, 12:56 PM

      @Fandangos
      Only rules on the WAN will impact this traffic.

      To investigate sniff the traffic on the WAN interface using Diagnostic > Packet Capture.
      Enter 8096 into the port filter, start the capture and try to access this port from outside.
      If you can see no packets after stopping the capture then, obviously there is nothing coming through.

      I presume, that your WAN has a public IP assigned.

      F 1 Reply Last reply Dec 15, 2024, 1:22 PM Reply Quote 0
      • F
        Fandangos @viragomann
        last edited by Dec 15, 2024, 1:22 PM

        @viragomann said in Is my ISP blocking port forwarding?:

        Enter 8096 into the port filter,

        Nothing is reaching it but I think there's something wrong here between VLANs.

        I'm trying to figure out how PfSense firewall works.
        If there's no rules on both vlans this means traffic from both are allowed?
        Pfsense rules are top to bottom, right? Meaning, if it finds a rule that allows traffic it will allow it, right?

        I have a small python server running on port 5000 of one of my vlans.

        and when I try to post to it from another vlan, it's not working either.

        So, if I have VLAN A to access VLAN B, I need to create a firewall allowing what?

        VLAN A subnets -> VLAN B subnets?

        V 1 Reply Last reply Dec 15, 2024, 1:47 PM Reply Quote 0
        • V
          viragomann @Fandangos
          last edited by Dec 15, 2024, 1:47 PM

          @Fandangos said in Is my ISP blocking port forwarding?:

          If there's no rules on both vlans this means traffic from both are allowed?

          Correct.

          Pfsense rules are top to bottom, right? Meaning, if it finds a rule that allows traffic it will allow it, right?

          Yes. In each rule you state conditions and an action (pass, block, reject). The conditions are interface (incoming), IP version, protocol, source address and port, destination address and port.
          Rules are probed from the top to the bottom. If a packet matches the stated conditions the rule is applied and following rule are ignored.

          So, if I have VLAN A to access VLAN B, I need to create a firewall allowing what?

          VLAN A subnets -> VLAN B subnets?

          Exactly.
          If you want some rules to be applied to multiple interfaces you can create interface groups and add your rules there. Or you can use floating rule, which allow to select multiple interfaces. When adding a floating rule, remember to set the direction properly for your needs. The default value is any.

          F 1 Reply Last reply Dec 15, 2024, 2:04 PM Reply Quote 0
          • F
            Fandangos @viragomann
            last edited by Fandangos Dec 15, 2024, 2:05 PM Dec 15, 2024, 2:04 PM

            @viragomann said in Is my ISP blocking port forwarding?:

            So, if I have VLAN A to access VLAN B, I need to create a firewall allowing what?

            There must be something wrong here.

            LAN25 VLAN (Unraid (running a python webserver and my PC)
            DOCKER VLAN (Emby)

            Docker firewall rule:
            78802d83-6948-4818-996c-f8d59c65f0b3-image.png

            LAN25 rules:
            ebf8cf49-9218-4224-8aa3-3b4b3525c2fb-image.png

            Basically in this test, LAN25 10.27.33.198 is running a server at port 5000
            DOCKER 18.27.33.191 is trying to post to port 5000.

            I can browser docker webui from 10.27.33.200, my PC.

            I can atest that the webserver works if I post from the same subnet.

            V 1 Reply Last reply Dec 15, 2024, 2:18 PM Reply Quote 0
            • V
              viragomann @Fandangos
              last edited by Dec 15, 2024, 2:18 PM

              @Fandangos said in Is my ISP blocking port forwarding?:

              Basically in this test, LAN25 10.27.33.198 is running a server at port 5000
              I can atest that the webserver works if I post from the same subnet.

              Allowing access from inside the own subnet, but blocking access coming from outside, is the default behavior of almost all system firewalls.
              Did you configure it to allow access from outside yet?

              But you can also verify this by sniffing the traffic on pfSense. If you can see request packets on the LAN25, but no response, pfSense passes the traffic, but the server either blocks it or response traffic is routed wrongly.

              F 1 Reply Last reply Dec 15, 2024, 2:25 PM Reply Quote 0
              • F
                Fandangos @viragomann
                last edited by Dec 15, 2024, 2:25 PM

                @viragomann said in Is my ISP blocking port forwarding?:

                @Fandangos said in Is my ISP blocking port forwarding?:

                Basically in this test, LAN25 10.27.33.198 is running a server at port 5000
                I can atest that the webserver works if I post from the same subnet.

                Allowing access from inside the own subnet, but blocking access coming from outside, is the default behavior of almost all system firewalls.
                Did you configure it to allow access from outside yet?

                But you can also verify this by sniffing the traffic on pfSense. If you can see request packets on the LAN25, but no response, pfSense passes the traffic, but the server either blocks it or response traffic is routed wrongly.

                585eae81-74c1-480a-ab49-f26b7d7a535b-image.png

                This is the traffic I see from within VLANs.
                I'm trying to figure out the vlans problem (probably should open another thread for this) because I believe this might be the root cause of the port forwarding not working.

                As you can see on the traffic capture, one VLAN tries to reach another but all I get is a timeout.

                F 1 Reply Last reply Dec 15, 2024, 2:44 PM Reply Quote 0
                • F
                  Fandangos @Fandangos
                  last edited by Dec 15, 2024, 2:44 PM

                  Figured it out!!

                  It was a docker container problem. Docker container was set to use ipvlan, so changed to macvlan.

                  And changed host access to custom networks to enabled.

                  Now I can post from my docker container.

                  Ok.. now trying to figure out how to access emby from wan.

                  1 Reply Last reply Reply Quote 0
                  2 out of 8
                  • First post
                    2/8
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received