Unable to open ports

  • Hi all,

    Im confused right now! I have a routed subnet to my PFsense box. Where the Wan of the modem = 66.x.x.105. My Pfsense WAN = 66.x.x.109. When connected to the Lan of my pfsense i can access internet all fine.

    The problem is i wanna open only the ports 80 and 443 at my Wan side of my PFsense. When i set a rule at wan to allow ANY. I test the port 80 on the site t1shopper.com. Port 80 is then open on 66.x.x.109. All the other ports are still blocked. When i set the allow any rule the block all the ports are still blocked inculed the port 80..

    How can it be i can not open al the ports?


  • open all ports to where?

    pfsense has only port 80 and 443 open if you have enabled https on gui.

    It's not recommended in any way to leave pfsense gui open to everyone.

    If you want to redirect ports to internal servers, then go to firewall -> nat -> port forwarding.

  • Oke thanks i whas already looking into the port forwarding!

    But now i have put a rule on WAN to allow ANY source, any destionation, any protocol. But i cant ping to my WAN ip..
    Even when i set a rule for ICMP i still cant ping the .109 addres..

  • Check wan interface netmask and subnet, also check default gateway, bogon network option on wan and gateway rule you applied on.

  • Mask for WAN /29 wich is correct. Gateway for WAN rule is set to x.x.x.105 (Modem LAN). WAN interface aslo gateway x.x.x.105..

  • I can PING again. Im now strugling with the NAT rules. I have set a rule to allow port 80 to my laptop.
    If i check with canyouseeme.org it still says the port is blocked. Here is the nat config:

  • Change pfsense gui port to other then 80 to prevent conflicts.

    Are you using 1.2.3 pfsense version?

  • Changed it to port 28 in this case. Didnt work. Yes im using 1.2.3!

    I have the NAT config and the rule.

    The pfsense comes after my speedtouch modem. When i ping 77.x.x.105 (Modem WAN) Port 80 is also blocked. Do i maybe need to set port 80 open in the modem as wel?..

  • But when is set a rule to allow any on the wan interface i can see that port 80 is open! So that cant be the problem.
    When i add the nat config i have no rules on the wan interface. I setup my NAT has like the pic above. It auto adds the rule.

    So when i delete the any rule on wan and at the NAT rule it is blocked. Must be something with my config i think..

  • Configure pfsense as a dmz server on your modem, this way all ports will be forwarded to pfsense

  • Hmm oke. But i have an Server 2003 thats connected to the Routed subnet of my Modem.

    Funny thing is when i set 2 rules at my WAN. 1 for allow everyting and one for my NAT rule to allow only port 80 then i still cant acces port 80. When i delete only the port 80 rule on my WAN side of pfsense. Then i can acces port 80 again. Seems like the Nat rule overrules the allow any rule? And that that rule with my NAT config for port 80 isnt working correctly…

    Thanks for helping!

  • Got it!!!

    Well. appearantly this is the problem:

    External port range. Only from is configured. this way it does NOT work only when you also (in this case https) set to options to HTTPS for "from" and "to" the forwarding works.

  • LAYER 8 Global Moderator

    When you click the from, it auto fills the to with the same port.  Why would you of changed the to to other?  Your not forwarding a RANGE, your forwarding a PORT.  So if you changed to to other and then did not put in the other port – yeah it would not really be a valid forward, it would be from 443 to ? (what port)..

    So yeah it would make sense that would be broken

  • Thing whas. When i clicked From to lets say HTTP then it auto fills indeed. But when i edit the rule it whas on other again. Changed it back to HTTP at the "To". And it worked.

    But now i have a problem the other way around  ???
    I cant block any ports on my LAN side. I put this rule on the LAN side:

    When i do a port scan with Advanced Port Scanner i see that port 80, 53 and 21 are still open. And netsend results are this:

  • What rules you have applied before this rule?

  • LAYER 8 Global Moderator

    Well I can tell you I have edit many a rule, and have never seen it flip the to other??  So not sure what your talking about there.

    As to not being able to block traffic from your lan??  Did you clear you states on pfsense after you made this rule - which is on the lan section of the firewall?

    At a loss to what showing netstat -an from a client has to do with what ports would be open on pfsense or what ports it would allow through its firewall?

    Rules would be processed in order, so if you have a rule above this rule that says allow any, which is the default rules created for the lan.. Then no this rule would never be hit.

    Post up a screenshot of your lan section showing this rule, and then clear your states, etc..  Keep in mind you don't want to lock yourself out of accessing the pfsense gui or ssh, etc.  See the top rule on my lan side.

  • Pass. Allow any! For the lan side. When i do that i have internet. When i block i have no connection and cant ping like it supose to work. But when i check the ports they apear open!..

  • LAYER 8 Global Moderator

    What do you mean when you check the ports??  What you showed was a "netstat -an" from some windows client - not from pfsense..

    What would a firewall rule on pfsense have to do with ports listening on a windows client?

    "When i block i have no connection and cant ping like it supose to work."

    What do you think should happen when you block ALL protocols??  What do you think should ping??

  • @Dennisunified:

    But when i check the ports they apear open!..

    In netstat in Windows like you showed above? Yeah, they sure will be, no network firewall is going to your Windows system and turn off its services. netstat just shows what your Windows host is listening on, your firewall has 0 control over that.

  • Thanks for the reactions. Indeed i discoverd that netstat does not show ports open on my PFsense… I do have managed to open ports with NAT now.

    The problem whas that i had to edit the NAT rule and reconfigure the "To" from "other" back to the port i wanted to open! After i edit a rule only then does the rule work!..

  • LAYER 8 Global Moderator

    Are you saying that when you create the nat to forward for a specific service, say ftp for example that the rule being generated is wrong?  Ie its saying other or flipping the to other even though from is set to ftp??

    I find this highly unlikely to be honest – I have created many a port forward, and just recently played with ftp for another thread showing how to create the forwards.  Just added a few for my directv boxes, etc.

    And have never seen this sort of action.

    Please post up some images showing what is happening that you have to edit rules to make them work vs them working upon creation.

  • I will this week!

Log in to reply