Port forwarding question.



  • I've been using pfsense for a while now but I'm still a little non-technical.  I have a question about port forwarding.

    Im trying to get a teamspeak server working.  It uses UDP port 8767 or something like that.

    My setup is as follows.  DSLrouter –- PFSENSE BOX ---- Switch/LAN.  Pretty basic setup.  I was unable to get pfsense and my modem working in bridge mode because new zealand uses pppoA and I couldn't follow all the workarounds.  Anyways so the modem is handling all that stuff.

    Obviously I need to make a port forward from PFsense to the computer that is running the teamspeak server. (192.168.0.197 in this case).  I'm pretty sure I did this correctly but if anyone wants to post up an example that would be great.

    Anyway it didn't work.  My question is do I also need to port forward from my DSL router to the pfsense box? (or maybe even to the 197 machine but that wouldn't make sense to me).  A friend told me I probably need to,  but all traffic is already going to my box as the DLS router is plugged into a network card in it so why do I have to?

    Anyway I tried both ways and neither way worked.  The firewall built into my DSL router was disabled (but I also tried setting up inbound rules just in case).  When I set up the Port forwarding I ticked the box to automatically setup firewall rules too and I checked the rules and they seemed all good.  Although I have a rule set too allow everything from anywhere to go through anyway so I thought I wouldn't need them.

    Can anyone give me some tips?



  • It looks like the pfsense was configured correctly. Try to add a "logging" to the teamspeck firewall rule. this way you should see the connection attempts at the pfsense in the systemlogs. If you don't see them you have some trouble with the device in front of the pfsense (which I guess you have). If the Router in front has the possibility to set a DMZ IP try entering the pfSense WAN IP there. this way everything should be forwarded to that IP. If not you have to setup portforwarding at the dsl-router, even if the firewall of this device is disabled to do the NAT.



  • Thanks I will try that.  Actually in reading your post I think I may have figured out the problem.  The ip of the network card the dsl router is plugged into is 192.168.1.3 and the ip of the lan side is 192.168.0.2 (GW).  I think I was port forwarding to the 0.2 instead of  1.3 from my DSL router (*slap).  I drew a diagram of my setup but I lost it so it's easy for me to forget about that! I will redraw it tonight so I don't confuse myself when seting stuff up.  Sorry I am new to all this.

    I think the firewall on my DSL router is diabled but NAT is not.

    I don't think my routher can set a DMZ IP,  but I will check again.  Could it possibly be called something different?  Perhaps I can get my router running in half bridge mode,  I know it supports it but I'm just worried it might be too much trouble to make it go.  But would that solve my problem and make it so I only ever have to port forward at my PFsense box instead of both?



  • Ok here is some more details.

    Bridge and half bride mode are off on the DSL router.
    Firewall is off on the DSL router.
    Nat is on, on the DSL router.
    I found the DMZ setting and enabled it.
    My DSL router's IP is 192.168.1.2 the Nic in my PFbox that the DSL router is connected to is 192.168.1.3.
    Should I be port forwarding to 192.168.1.3 from the DSL modem??  And should I try setting the DMZ to 192.168.1.3  or 192.168.1.2 (I think 1.3) (p.s I have tried these settings.)

    I enabled logging for the firewall rule I setup.  Do I view this under Status: System logs: Firewall???

    If that is where I should be looking I am only seeing DHCP and igmp v3 report stuff (which is from when i turn on a PC)

    Also under NAT in pfsense it has this note:  Note:
    It is not possible to access NATed services using the WAN IP address from within the LAN (or an optional network).

    Does this mean even though I set all the settings correctly I won't be able to join from my LAN connect using the WAN ip? even though I can use the internet etc?  So all my testing will be in vain?  (p.s I have done testing with a friend from his internet connection also).  Will I see the firewall rule working if I try to test it from my own LAN?



  • Jesse,

    If I'm reading correctly:
    PFSense: 192.168.1.3
    DSL Router's Internal IP: 192.168.1.2

    Setting a DMZ IP on your DSL modem is going to cause ANY port coming from the internet to be automatically forwarded to whatever IP you specify in the setting. With this being the case, set that IP to your PFSense box (192.168.1.3). This will cause PFSense to handle ALL your firewall/port forwarding. In PFSense, add a NAT entry in the WAN section from UDP any host, any port to the IP of the teamspeak box (behind the PFSense firewall/router) - UDP, port 8767. You will also need to check the box to add a firewall entry as well to allow the port through PFSense.

    This will cause a Teamspeak request coming from the internet to hit your DSL modem, your DSL modem will automatically forward that port on to the DMZ host which is your PFSense box. Your PFSense box will then forward that port to your internal teamspeak box.

    Hope this helps!
    -Josh



  • Cool thanks josh (yes you are reading correctly) .  I will give it a shot tonight.  I have tried all that before apart from I never set the ports to any.  I specifically set the port to 8767 UDP at all three points.  Maybe that is the problem.  And maybe another problem is I can't test it myself if I am reading the note in PFsense correctly.



  • @josh:

    Jesse,

    If I'm reading correctly:
    PFSense: 192.168.1.3
    DSL Router's Internal IP: 192.168.1.2

    Setting a DMZ IP on your DSL modem is going to cause ANY port coming from the internet to be automatically forwarded to whatever IP you specify in the setting. With this being the case, set that IP to your PFSense box (192.168.1.3). This will cause PFSense to handle ALL your firewall/port forwarding. In PFSense, add a NAT entry in the WAN section from UDP any host, any port to the IP of the teamspeak box (behind the PFSense firewall/router) - UDP, port 8767. You will also need to check the box to add a firewall entry as well to allow the port through PFSense.

    This will cause a Teamspeak request coming from the internet to hit your DSL modem, your DSL modem will automatically forward that port on to the DMZ host which is your PFSense box. Your PFSense box will then forward that port to your internal teamspeak box.

    Hope this helps!
    -Josh

    I set the DMZ option on my router.  Is there some way I can check its working? (route table or something?).

    After getting home I am a little bit confused, as the setup is a little different than you discribed josh but I think i could follow what you ment.  Under firewall >Nat I can setup inbound, 1:1 and outbound.  Obviously I want an inbound rule.

    I can't set ports to any there is just no option for it.

    Here are my options:
    Interface:  I chose WAN.
    External address:  I don't understand this so I just left it as interface address, initially but after reading the discription again and again I think it means if I want to redirect to the LAN select ANY.  So I tried this on ANY.

    Protocol: i chose UDP
    External port range:  I can't choose any here?  Or can I?  I input port 8767  I tried entering nothing but got an error.
    NAT IP: 192.168.0.197 (the ip of the pc hosting teamspeak).
    Local port:  Again can't choose any.  But here I am pretty sure I definatly need to put 8767.

    Then I saved with the tick to enable the firewall rule also.  And then I put I log on the firewall rule.

    Still no go,  can someone confirm I can access my from within my own lan using the NAT rules?  as the note is worrying me that I can't test it myself and I am just wasting my time.

    Also getting no logs under System logs/firewall to do with this rule.



  • You have a tab labeled  "inbound "? What version are you running? This was renamed several versions ago to "port forward", so I assume you are running a quite old version? Check under status>system in the webgui. Also note that you can't test your nat from inside your lan (see this thread http://forum.pfsense.org/index.php?topic=66.0 ).

    Ath the "port forward" or "inbound" tab the rule you have to create looks like this(just listing settings):

    WAN
    interface adress
    udp
    8767
    8767
    192.168.0.197
    8767
    description
    [x]

    Ask someone to test your teamspeak from the outside. Other option would be to test with a client in front of your pfSense from inside you Gatewayrouters LAN. If it works from this client in front of your pfsenses wan and not from somebody coming from the internet, your pfSense config is fine and you have to check your gatewayrouter again.

    If it doesn't even work from a client at pfSense's WAN something with your configuration is wrong.

    If it works even from the internet be happy ;-)



  • @hoba:

    You have a tab labeled  "inbound "? What version are you running? This was renamed several versions ago to "port forward", so I assume you are running a quite old version? Check under status>system in the webgui. Also note that you can't test your nat from inside your lan (see this thread http://forum.pfsense.org/index.php?topic=66.0 ).

    Ath the "port forward" or "inbound" tab the rule you have to create looks like this(just listing settings):

    WAN
    interface adress
    udp
    8767
    8767
    192.168.0.197
    8767
    description
    [x]

    Ask someone to test your teamspeak from the outside. Other option would be to test with a client in front of your pfSense from inside you Gatewayrouters LAN. If it works from this client in front of your pfsenses wan and not from somebody coming from the internet, your pfSense config is fine and you have to check your gatewayrouter again.

    If it doesn't even work from a client at pfSense's WAN something with your configuration is wrong.

    If it works even from the internet be happy ;-)

    I am running .90  which is the latest version?  I didn't install .92 because I can't find anywhere that says it is official after it got taken down because of the DHCP problems or whatever?

    So yeh you are right it says port forward :).

    Thanks hoba I guess I know how to check it now anyways.  My port forwarding rules are now working for other programs anyway like Edonkey.  After seting up two port forward rules it went from unreachable to reachable,  so it is working.  Thanks for showing me the DMZ setting so I don't have to setup two lots of rules! :).



  • nice you got it working  :D



  • I'm still confuse about Firewall > NAT > Port Forwarding and Firewall > Rules >WAN.
    I want to make incoming connection from my WAN to LAN.

    For example, I want to give acess to FTP service.
    I have setting like this in Firewall > Rules > WAN:
    Proto: TCP/UDP
    Source: *
    Port: *
    Destination: WAN address
    Gateway: *
    Description: WAN to LAN (FTP)

    In my Firewall > NAT > Port Forwarding:
    If: WAN
    Proto: TCP/UDP
    Ext. Port Range: 21 (FTP)
    NAT IP: 172.16.4.4
    Int. Port Range: 21 (FTP)
    Description: WAN to LAN (FTP)

    Why is it not working at all?



  • @agismaniax:

    I'm still confuse about Firewall > NAT > Port Forwarding and Firewall > Rules >WAN.
    I want to make incoming connection from my WAN to LAN.

    For example, I want to give acess to FTP service.
    I have setting like this in Firewall > Rules > WAN:
    Proto: TCP/UDP
    Source: *
    Port: *
    Destination: WAN address
    Gateway: *
    Description: WAN to LAN (FTP)

    In my Firewall > NAT > Port Forwarding:
    If: WAN
    Proto: TCP/UDP
    Ext. Port Range: 21 (FTP)
    NAT IP: 172.16.4.4
    Int. Port Range: 21 (FTP)
    Description: WAN to LAN (FTP)

    Why is it not working at all?

    the correct rules is for ftp anyways:
    in nat/port forward:
    (when making a rule in nat/port forward make sure this is enabled: Auto-add a firewall rule to permit traffic through this NAT rule, then you dont have to make a rule in the rules option for it is created by it self)

    if=WAN
    proto=TCP
    Ext. port range=21 (FTP) 
    NAT IP=192.168.0.210
    Int. port range=21 (FTP)
    Desc=ftp server

    in rules/wan

    proto=TCP
    source=*
    port=*
    destination=192.168.0.210
    port=21 (FTP)
    gateway=*
    desc=NAT ftp server

    and eveyrone that is connectiong to must write my ipadress/dyndns:21 <<–-- must write the port to,

    this is working for me anyway.



  • @agismaniax:

    I'm still confuse about Firewall > NAT > Port Forwarding and Firewall > Rules >WAN.
    I want to make incoming connection from my WAN to LAN.

    For example, I want to give acess to FTP service.
    I have setting like this in Firewall > Rules > WAN:
    Proto: TCP/UDP
    Source: *
    Port: *
    Destination: WAN address
    Gateway: *
    Description: WAN to LAN (FTP)

    In my Firewall > NAT > Port Forwarding:
    If: WAN
    Proto: TCP/UDP
    Ext. Port Range: 21 (FTP)
    NAT IP: 172.16.4.4
    Int. Port Range: 21 (FTP)
    Description: WAN to LAN (FTP)

    Why is it not working at all?

    Don't create your firewall rule manually.  When you create your port forward tick the box at the bottom like the poster below said and it will make the rule for you automatically.

    I'm no expert but to me it looks like you made the firewall rule incorrectly.  Instead of Destination:  Wan address.  It should be the LAN address.

    Use the auto make firewall rule to see where you went wrong.

    If your problem is still not fixed there is something called FTP helper I'm not familair with this setting but do a search maybe it can help you too.



  • This is an oldish thread.  When I made it the colour coded posts were not enabled.  I initially clicked thanks solved when coming back to this thread today.  But then it locked the thread?  So no further discussion could be had so I changed it back to "didn't help" even though it did so the thread can keep going.



  • @duck7207:

    the correct rules is for ftp anyways:
    in nat/port forward:
    (when making a rule in nat/port forward make sure this is enabled: Auto-add a firewall rule to permit traffic through this NAT rule, then you dont have to make a rule in the rules option for it is created by it self)

    if=WAN
    proto=TCP
    Ext. port range=21 (FTP) 
    NAT IP=192.168.0.210
    Int. port range=21 (FTP)
    Desc=ftp server

    in rules/wan

    proto=TCP
    source=*
    port=*
    destination=192.168.0.210
    port=21 (FTP)
    gateway=*
    desc=NAT ftp server

    and eveyrone that is connectiong to must write my ipadress/dyndns:21 <<–-- must write the port to,

    this is working for me anyway.

    i follow your guide but still won't work.
    Btw. my pfsense machine have 4 WAN(s) and 1 LAN.
    my first WAN is 203.77.230.xx, my second WAN is 202.169.57.xx, my third WAN is 202.159.10.xx, my forth WAN is available and my LAN is 172.16.4.x
    how to make a working port forwarding to internal network with multiple WANs?  ???  ???  ???



  • I'm having the same problem, or similar…
    I suppose that all is well configured NAT and Rules, but Trafic on port 21 does not pass.

    Connected with ftp.****.net. Waiting for welcome message...

    And it stops there.
    All other services are running perfectly only FTP is fails.

    Log shows
    pftpx[527]: #9 server timeout

    The server works fine inside lan



  • Try a recent snapshot, FTP should work out of the box now. seems to fix all the problems people were having.
    http://snapshots.pfsense.com/FreeBSD6/RELENG_1/


Log in to reply