Port forward for torrents not working on dual wan setup



  • Ok i'm trying to set one line on my dual wan setup to handle all torrent downloads, but for some reason its not working.

    I've attached a picture of the NAT rule that i've set up for this port.

    What i've done is set up a port forward rule in my ISP's router that forwards port 18739 to 192.168.1.222 which is the IP of my WAN connection. I've then setup a port forward rule in pfSense to the IP of my PC which is 192.165.0.30 which can be seen from the screenshot attached. Thing is whenever I try to download a torrent and check the port is forwarded at this link: http://www.utorrent.com/testport.php?port=18739 it tells me it is not open, it also changes between the different gateway IP for my 2 connections when I refresh the page, so it isn't being set to only 1 WAN connection as well.

    But heres the really weird part. If I download 2 torrents in utorrent (I tested with some highly seeeded Linux torrents) both my WAN connections get maxed out, my download speed is doubled? (the 2nd screenshot I posted is of the RRD graph of the 2 connections) even though the port is not forwarded and I was told torrents don't really work for load balancing because the IP keeps changing?

    Any advice on what settings I need to implement, either on my routers end or in pfSense would be greatly appreciated. Also a possible explanation as to why load balancing is working for torrent downloads and why it is not being affected by the port being forwarded would also be appreciated.





  • Yout bittorrent clients does connections from inside to outside. You need to catch this traffic by a rule at firewall>rule, lan and assign it to the correct gateway (policybased routing). The portforward only works for incoming connections but if your bt client tells the other peers that it can be seen by different IPs (hopping between the IPs) it's normal that traffic runs on both Links. See http://doc.pfsense.org/index.php/Multi-Wan/Load-Balancing for more details on how it works.



  • How do I set up my router though? Would it work if I turned off the firewall on my routers and opened all ports? Therefore only pfSense would be able to control access to ports?



  • This is getting really frustrating now, opening ports should be the easy part of setting up a Load balancer. No matter what I do though I can't seem to open the port 18739

    I've set up a rule in Firewall>Rules>LAN as per the screenshot below, i've also attached a screenshot of the complete settings i'm implementing. Maybe somebody could point me in the right direction of what i'm doing wrong.

    When this rule is enabled and I check to see if the port is forwarded at http://www.utorrent.com/testport.php?port=18739 the connection is still jumping between the 2 IP's for my 2 WAN connections, so the policy based routing of this port isn't going through for some reason.






  • Like in the other thread some misunderstanding here:

    You need to add a portforward AND a firewallrule. The way you did it here allows the traffic in but doesn't forward it to the client at LAN. I suggest the following procedure:

    • delete the rule you created (we'll let the portforward take care of creating it for us)
    • go to firewall>nat, portforward and add a rule for this traffic
    • make sure you keep "autocreate firewallrule" checked when saving and apply the settings
    • make sure (like mentioned in my other thread) to set the pfSense WAN IPs as DMZs in the routers in front of you

    Additional to this you still need to create a rule at LAN like mentioned in my previous post to map outgoing traffic for this application to one of your wans like desired.



  • Ok I did this. I set up a rule in Firewall>NAT>Port Forward (as per the attached screenshot) and set it to autocreate a Firewall>Rules>WAN Rule (see the 2nd attached screenshot)

    This however does not seem to allow traffic for this port to only go through one of my WAN connections, and it still doesn't seem to work when I test the port using http://www.utorrent.com/testport.php?port=18739

    Is there anything else that could be affecting pfSense's ability to forward this port?

    EDIT: Also, how is "ext.: 192.168.1.222" set? I don't see the option for setting it when configuring the rule.






  • @hoba:

    • make sure (like mentioned in my other thread) to set the pfSense WAN IPs as DMZs in the routers in front of you

    Additional to this you still need to create a rule at LAN like mentioned in my previous post to map outgoing traffic for this application to one of your wans like desired.

    You always only read half of what I say and skip some lines. You need to look more closely  :o



  • Sorry about that :)

    I just implemented it and it hasn't changed anything, when I run the test page for the port the IP address still changes between the 2 gateways I have load balanced. Also at my gatewayrouter interface I can't see anything about setting up DMZ. The only thing I can see that is remotely like it is the option to set up IP Passthrough, would IP Passthrough work instead?

    I've attached a screenshot of the rule setup in Firewall>Rules>LAN. Could there be a problem with my failover rule or some other rule that I have in place that could be negating it? Sai said in the other thread that the one of my rules (the second one from teh top in the screenshot attached) would "only be used as it is the first and will match anything coming out of the LAN net". Thing is when I disable that rule I lose access to the internet.




  • Some vendors call this setting different. Probably IP-Passthrough is what your routers vendor calls it. Give it a try.

    The firewallrule doesn't look right. The way you set it up would mean that the oposite end would have set up his bt client to use 18739 which probably is not the case. Try to find out if your client uses a fixed range for outgoing connections or even a fixed port. You can do so by looking at diagnostics>states in the webgui of the pfSense to see what connections it opens. Then use that range as sourceport, not the destination port (this setting hides below one of the advanced buttons)



  • I'm not really sure how i'm supposed to read diagnostics>states? What should I be looking for? Accesses on port 18739?

    I've looked up about utorrent and it says to use any port above 10,000. The port i'm using is the default one that came up when I installed utorrent.

    I set up that port as the source, but again, its made no change. Also what could the possible reason that utorrent is still using both WAN and Opt1 connections and not being routed to only the WAN connection?



  • If it uses random ports it's hard to map it to only one WAN. This then would only be possible with layer7 filtering. Try to use the server sourceport (the one you forwarded) in your lan firewallrule. Maybe this wil let the other peers know that you only use this IP. If you have a static public IP at WAN check if azureus has the option to hardcode the server IP seen from the other peers.



  • It doesn't use a random port. It does however use UPNP port mapping. Could this be effecting something?

    Also it's still a mystery to me though why these settings aren't limiting this port to only one of my WAN connections?



  • Reset states at diagnostics>states, reset states. Only new connections will be affected by a changed ruleset.



  • I'm sorry for bumping this thread but i've really run out of avenues to get this working, i'm still having problems getting the port forwarding for torrents working.

    Below i've attached screenshots of what settings i've implemented.

    I've set up both of my gateway routers as DMZ's to the pfSense router (i.e. for WAN the DMZ points to 192.168.0.10, for Opt1 it points to 192.168.1.222) and i've updated to the latest snapshot from here

    I've put a rule in "Firewall: NAT/Port forward" to open port 18739 for 192.165.0.30

    I've put a rule in "Firewall: Rules/LAN" to open port 18739 for 192.165.0.30 at gateway DrayfailoverNet
    I've put a rule in "Firewall: Rules/WAN" to open port 18739 for 192.165.0.30 at gateway DrayfailoverNet

    I've put a rule in "Firewall: Rules/Opt1" to BLOCK port 18739 for 192.165.0.30 at gateway DrayfailoverNet

    What's happening is that when I run the port checker it is STILL switching between the two IP's in my load balanced pool, so the policy based routing isn't taking affect, and i'm guessing this is the root of my problem, is there any rule that might be negating my policy based rules? Or anything that i'm missing here?

    When i'm setting up the DMZ at the router level it should be pointing to the local ip for that connection in pfsense right?










  • There are several problems with your setup:

    • don't use gateways other than default for firewallrules at wan and netopia that belong to portforwards. You have to use "default" as gateway there.
    • I don't understand the 2 other rules at wan and netopia that don't belong to the portforward but they are definately wrong ;)
    • at netopia the block rule is not needed. Everything not explicitly allowed is blocked anyway. The gateway option here is wrong as well.


  • @hoba:

    • I don't understand the 2 other rules at wan and netopia that don't belong to the portforward but they are definately wrong ;)

    The 2 other rules at WAN and Netopia where implemented because I followed the guide here for setting up load balancing, you can see he has implemented these rules on page 12.

    Why would they be wrong?



  • Please rather follow http://doc.pfsense.org/index.php/Multi-Wan/Load-Balancing . I have to look a bit closer at the other doc but it seems to be wrong. If it is I'll pull it so it doesn't confuse people anymore. It doesn't apply to the latest snapshots anyway that have a much easier pool creation gui (selecting interfaces instead of gateway IPs).



  • Ok, tomorrow i'm going to start again and implement the other tutorial. The only reason I went with the one I did was because it was for a static IP setup.

    Can I ask though, the fact i am able to get access to the internet means that there is a port open in pfsense to do so (say port 80) if I did a test of port 80 (i.e. http://www.utorrent.com/testport.php?port=80) should it not be reading as open?



  • The default config is to let anything out but nothing in. The apps do test incoming connections so this won't work without portforwards and appropriate firewallrules.



  • Ok I think i'm nearly there with this.

    I removed the rules from the tutorial I was following and went with only the settings from here

    I've attached a screenshot below of what i've set up. Can you explain to me what the last rule in this screenshot does, it seems to always be setup in all of the tutorials I've read but there is no explanation for it.

    Is this rule used to set udp/tcp ports for all OUTGOING traffic? I've found that when I disable it, the utorrent port checker says the port is now open, but when I try to download a torrent it won't connect… until I re-enable the last rule. Is there any explanation for this?




  • If you don't enable the last rule you only alow the ports and protocols specified above which means only a few ports are open to go out (http, rdp, https, common-alias and protocol icmp).



  • Ok I think i'm nearly there. Torrents are working, so is VNC, VPN in and out of the office, FTP and HTTPs.

    I have one last thing thats not, its not a big thing but I would like to resolve it. The failover for my Opt1 connection is not working. When I plug out my Opt1 connection I can still access the internet on my WAN connection, but when I plug out my WAN connection I lose all internet access… except for doing google searchs which is weird. When I unplug the WAN connection I can go to www.google.com and do a search and it will give me a list of results, i can't however open any of the result pages. I can't do a tracert on any sites either.

    I have a feeling this has something to do with my DNS. Is there anyway of setting the DNS for Opt1? Under "status>interfaces" the Opt1 connections reads as "up" but I don't see any DNS addresses associated with it?





  • I've written up a new part to the dual WAN wiki http://doc.pfsense.org/index.php/Multi-Wan/Load-Balancing#Supporting_bittorrents
    which describes my set up for bitorrent which seems to be working well.

    Appreciate comments and feedback on this.. :)



  • @Pootle:

    I've written up a new part to the dual WAN wiki http://doc.pfsense.org/index.php/Multi-Wan/Load-Balancing#Supporting_bittorrents
    which describes my set up for bitorrent which seems to be working well.

    Appreciate comments and feedback on this.. :)

    hoba pets pootle, a user who gives something back  :D


Log in to reply