Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ports being blocked even though they are open

    Scheduled Pinned Locked Moved Firewalling
    13 Posts 3 Posters 4.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      Visseroth
      last edited by

      I know this has been written in this forum before about ports being blocked and it has been said it is fine, they aren't actually being blocked but I beg to differ. I just setup this router to replace a POS Watchgaurd and I am unable to get VPN traffic to pass to the local server as it should. I have rules opened to allows all these rules to be passed but when i check the logs the firewall indicates that they are being blocked and I have managed to get it to pass the traffic like it should by modifying the rules and telling it to pass traffic from any interface but it seemed only temporary. Now it doesn't want to pass any traffic coming in from the outside world.

      I have disabled snort though it logged to blocks and other things but nothing seems to help.

      Does anyone have any ideas because I'm fresh out.

      My setup is a dual T1 going to a cisco sr1004 which is sharing the internet to via a switch to 3 other areas in the building. PfSense is plugged into that switch with a static IP and is pulling internet as it should but is blocking ports.

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        what do your firewall logs look like exactly? And rules, NAT.

        1 Reply Last reply Reply Quote 0
        • V
          Visseroth
          last edited by

          the logs stated that the source IP address was trying to access the distination address via port 500 or 1723 or 443 via wan. The destination address being the internal IP address that the port is supposed to be directed to.

          rules and nat states that anything on the wan via the interface address requesting that port is supposed to be forwarded to the server on the network.

          If you need I can take some screen shots.

          1 Reply Last reply Reply Quote 0
          • ?
            Guest
            last edited by

            If you are positive that your rules are correct, make sure you have expired any/all states pertaining to those connections.

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              That's not exact enough, which TCP flags? what exactly are your rules and NAT? Screenshots best

              1 Reply Last reply Reply Quote 0
              • V
                Visseroth
                last edited by

                OK, so her are those screen shots. Sorry it took so long to get back but I haven't had time to bring the router back online and pull the screen shots that you guys need.

                BTW, thank you so very much for helping out, I appreciate it, I'd much rather use PfSense than the stupid Watchgaurd Pile that we currently have here.

                Anyhow, so after bringing it back online I tried to remote in using one of the client's machines that had been having problems and it won't connect to the VPN now with the PfSense box in place but it will when the WatchGaurd is in place.

                Logs.jpg
                Logs.jpg_thumb
                nat.jpg
                nat.jpg_thumb
                Rules.jpg
                Rules.jpg_thumb
                packages.jpg
                packages.jpg_thumb

                1 Reply Last reply Reply Quote 0
                • V
                  Visseroth
                  last edited by

                  and to throw in another twist it seems PfSense doesn't like her external IP address. If I try and remote in using a different privoder than either the remote location or the client I can connect without a hitch. If I try and connect from the client's machine I get blocked.

                  Any thoughts?

                  1 Reply Last reply Reply Quote 0
                  • V
                    Visseroth
                    last edited by

                    Well somehow I screwed up the first box that I setup by checking something that I shouldn't have so I replaced it with a PowerEdge 2850 and it is VERY snappy, but the proplem persists and the only thing I have configured is traffic shaping. I have installed no packages thus far.

                    1 Reply Last reply Reply Quote 0
                    • C
                      cmb
                      last edited by

                      Config is fine, I suspect you don't have functional DNS on the firewall itself which is causing its bogon updates to fail, and that 50.x IP is in an outdated copy of bogons you have on there as a result.

                      Check your DNS under System>General Setup, and ensure you can ping files.pfsense.org from Diag>Ping. Once that works, run:
                      /etc/rc.update_bogons.sh now

                      and check your system log to ensure that was successful.

                      1 Reply Last reply Reply Quote 0
                      • V
                        Visseroth
                        last edited by

                        OK, I ran the update though I got a strange message, I don't really understand what it means but here is the message.

                        May 6 21:01:47 root: rc.update_bogons.sh is sleeping for 44075
                        May 6 21:01:47 root: rc.update_bogons.sh is starting up.

                        I also ran the diagnostics and pinged files.pfsense.org and it replied without a hitch.

                        Any thoughts?

                        1 Reply Last reply Reply Quote 0
                        • V
                          Visseroth
                          last edited by

                          Well I checked on it this morning and all I saw in the logs was

                          May 7 14:13:11 kernel: arp: 192.168.0.254 moved from 00:18:8b:40:33:cc to 00:18:8b:40:33:ca on em0
                          May 7 14:13:11 kernel: arp: 192.168.0.254 moved from 00:18:8b:40:33:ca to 00:18:8b:40:33:cc on em0

                          Nothing about bogons updating and just received an email from the client this morning that she is unable to access the network because her vpn connection is being blocked.

                          Is there anything else I can do to make this work?.

                          1 Reply Last reply Reply Quote 0
                          • C
                            cmb
                            last edited by

                            You didn't specify the "now" as shown in my post if you got a sleep there. Which means you won't see it update for several hours, 44075 seconds is the random sleep yours picked.

                            1 Reply Last reply Reply Quote 0
                            • V
                              Visseroth
                              last edited by

                              oh, crap, didn't see that, ok, will try it again and watch the logs and report back. Thanks, I'll be back!  :P

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.