Open ports for all PC in lan



  • Hi I have a problem that I can not fix (I have always been used a firewall to close the ports and now I can not open them) …
    The service works with Echolink using these ports:

    EchoLink requires that your router or firewall allow inbound and outbound UDP to ports 5198 and 5199, and outbound TCP to port 5200.
    If you are using a home-network router, you will also need to configure the router to "forward" UDP ports 5198 and 5199 to the PC on Which EchoLink is running.

    This can be summarized as:

    Allow UDP destination ports 5198-5199 >> Between Internet and PC Both directions
    Allow TCP (source port any, destination port 5200) from PC to the Internet

    The port 5200 is not a problem because I did not set any out restrictions for ports but these ports 5198-5199 not working if I don't setup the NAT for one pc.
    I want to open them for at least 5 PCs in the LAN while maintaining the same configuration, so no NAT.

    Before I used a 3Com firewall which allowed through the "Special Application" to open for all PCs on the LAN or over a TCP or UDP ports, or both, enabling to all PCs on the network without having to individually configure the NAT, with this I could set public ports and public protocol.

    I ask if it is possible to set pfSense in this way, but I do not know how to do?

    Tnx



  • Is this software opening access from inside or is it also contacted from outside?


  • Rebel Alliance Global Moderator

    "I want to open them for at least 5 PCs in the LAN while maintaining the same configuration, so no NAT."

    "Before I used a 3Com firewall which allowed through the "Special Application" to open for all PCs on the LAN or over a TCP or UDP ports, or both, enabling to all PCs on the network without having to individually configure the NAT, with this I could set public ports and public protocol."

    I think we are missing some information here, because what your saying is not really possible with NAPT, ie you have 1 pubic IP address and are using what ports traffic is moving on to identify where traffic goes so that you can have multiple machines behind 1 public IP.

    So what your saying is that this other firewall allowed for sending unsolicited traffic to say port 5198 to 5 different private IPs at the same time?  Never seen such a feature, for unsolicited traffic that hits your public IP, you can send it to 1 specific private IP, not multiple.

    Now if your talking about multiple machines on your private side all talking to the same port on some internet IP, then sure that is not a problem at all.  You can have say 100 machines behind your nat router all hit pfense.org on port 80.  Even if there are duplicate sports being used by your 100 machines, the router will change the port it uses on its public side to be something unique, so that when it sees the return traffic to that port on its public IP it will know which client on the private side to send the traffic.

    For what your asking with unsolicited inbound traffic from the internet, you would normally need more than 1 public IP, and you can setup 1to1 nat so that if that port is hit on ip1, it goes to client X, when it hits on ip2 it would go to client Y behind the router.



  • Many thanks to all in advance for your interest in this.
    To be more clear I post a part of manual of this Router/Firewall that is 3Com Wireless 11n ADSL Firewall Router, maybe it was a possibility as it was also router.

    In this firewall there is a Special Applications Menu:

    Special Applications (port triggering) let you choose specific ports to be open for specific applications to work properly with the Network Address Translation (NAT) feature of the Router.
    A list of popular applications has been included to choose from. Select the application from the Popular Applications drop-down menu. Then select the row that you want to copy the settings to from the Copy To drop-down menu, and click Copy To. The settings will be transferred to the row that you specified. Click Apply to save the setting for that application.
    If your application is not listed, you will need to check with the application vendor to determine which ports need to be configured. You can manually enter the port information into the Router.
    To manually enter the port information:

    1 Specify the trigger port (the one used by the application when it is initialized) in the Trigger Port column, and specify whether the trigger is TCP or UDP.
    2 Specify the Public Ports used by the application, that will need to be opened up in the firewall for the application to work properly. Also specify whether these ports are TCP or UDP. Note that the range of the trigger port is from 1 to 65535. You can enter the port number as one single port, or in range, use comma to separate different entries.
    3 Check the Enabled checkbox, then click Apply.

    Previously I used with this firewall, and this feature was very convenient.
    I had one on the WAN IP from provider dynamically now and before.
    With this function was possible to open all necessary ports to any PC is to play it for other applications such as this one in particular (Echolink).
    Attached a picture of this features.



  • Rebel Alliance Global Moderator

    Trigger port forwarding is not really what you stated.. What you stated was sending to more than 1 pc behind your router unsolicited traffic at the same time.

    That is not what port trigger is, a trigger would allow you to take turns.. It can be used for allowing ports inbound when box is talking outbound on different ports or to different dst, etc.  But it does not allow that traffic at the same time.

    I don't believe there is anything in the gui for this, but I do believe you can do it with anchors and creating rules for pf directly.  I personally have never came across a need for port triggering in my time in IT, 25+ years.

    I think there was some bounties for adding this to the gui, but I don't think it ever went any where.


Locked